challBOE
asked on
Best practice GPO for Domain Controllers OU
GPO - Should the Domain Controllers OU be set to block inheritance of other GPO's?
My Exchange 2010 servers suddenly lost connectivity to the Domain Controllers and when checking things out, I found the Domain Controller policy some how dropped the "Domain\Exchange Servers" from an Audit/Manage permission. Tracking that down, I looked at GPOs and discovered that my Domain Controllers were inheriting all sorts of policies.
So, is it best practice for the OU for the Domain Controllers to block GPO inheritance (and use only the "Default Domain Controller policy"?
Is it best practice to set the "Default Domain policy" to enforced?
Thanks.
Environment: 2012 R2 DCs, Exchange 2010 (and legacy 2003), Functional level at 2008
My Exchange 2010 servers suddenly lost connectivity to the Domain Controllers and when checking things out, I found the Domain Controller policy some how dropped the "Domain\Exchange Servers" from an Audit/Manage permission. Tracking that down, I looked at GPOs and discovered that my Domain Controllers were inheriting all sorts of policies.
So, is it best practice for the OU for the Domain Controllers to block GPO inheritance (and use only the "Default Domain Controller policy"?
Is it best practice to set the "Default Domain policy" to enforced?
Thanks.
Environment: 2012 R2 DCs, Exchange 2010 (and legacy 2003), Functional level at 2008
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, I will block inheritance.
ASKER