[Enter Post Title Here]

What is Active Directory?

The Active Directory is the central repository in which all objects in an enterprise and their respective attributes are stored. Active Directory provides a variety of network services, including Lightweight Directory Access Protocol. LDAP is the industry standard directory access protocol, making Active Directory widely accessible to management and query applications. Active Directory provides:

LDAPv3 and LDAPv2 compatible directory service Kerberos-based authentication DNS-based naming and other network information Central location for network administration and delegation of authority Information security and single sign-on for user access to networked based resources Central storage location for application data

What is LDAP?
LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network. LDAP is a "lightweight" (smaller amount of code) version of Directory Access Protocol (DAP), which is part of X.500, a standard for directory services in a network. LDAP is lighter because in its initial version it did not include security features.

Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.
Active Directory is a LDAP compatible directory service and supported by various third party applications like Novell DirXML, and Atlassian Crowd. Microsoft Identity Integration Server (MIIS) is one of the options you can use to act as an intermediary between two directories (including directories used by SAP, Domino, etc).

MIIS manages information by retrieving identity information from the connected data sources and storing the information in the connector space as connector space objects or CSEntry objects. The CSEntry objects are then mapped to entries in the metaverse called metaverse objects or MVEntry objects. This architecture allows data from dissimilar connected data sources to be mapped to the same MVEntry object. All back-end data is stored in Microsoft SQL Server. Versions

Zoomit Via (pre 1999) Microsoft Metadirectory Server [MMS] (19992003) Microsoft Identity Integration Server 2003 Enterprise Edition [MIIS] (2003-2009) Microsoft Identity Integration Server 2003 Feature Pack [IIFP] (2003-2009) Microsoft Identity Lifecycle Manager Server 2007 ILM (2007-2010) Microsoft Forefront Identity Manager 2010 FIM [CR0] (Current)

Supported Data Sources MIIS 2003, Enterprise Edition, includes support for a wide variety of identity repositories including the following.
o

o o o o

Network operating systems and directory services: Microsoft Windows NT, Active Directory, Active Directory Application Mode, IBM Directory Server, Novell eDirectory, Resource Access Control Facility (RACF), SunONE/iPlanet Directory, X.500 systems and other network directory products E-mail: Lotus Notes and IBM Lotus Domino, Microsoft Exchange 5.5, 2000, 2003, 2007 Application: PeopleSoft, SAP AG products, ERP1, telephone switches PBX, XML- and Directory Service Markup Language DSML-based systems Database: Microsoft SQL Server, Oracle RDBMS, IBM Informix, dBase, IBM DB2 File-based: DSMLv2, LDIF, Comma-separated values CSV, delimited, fixed width, attribute value pairs

Where is the AD database held? What other folders are related to AD?
Tweet The Active Directory Database is Stored in %SYSTEM ROOT%\NDTS folder. Main database file for active directory is ntds.dit. Along with this file there are other files also present in this folder. These files are created when you run dcpromo. These are the main files controlling the AD structure

o o o o o

ntds.dit: This is the main database file for active directory. edb.log: Transaction performed to ad stored in this file. res1.log: Used as reserve space in the case when drive had low space. res2.log: Same as res1.log. edb.chk: This file records the transactions committed to ad database.

When a change is made to the Win2K database, triggering a write operation, Win2K records the transaction in the log file (edb.log). Once written to the log file, the change is then written to the AD database. System performance determines how fast the system writes the data to the AD database from the log file. Any time the system is shut down; all transactions are saved to the database. During the installation of AD, Windows creates two files: res1.log and res2.log. The initial size of each is 10MB. These files are used to ensure that changes can be written to disk should the system run out of free disk space. The checkpoint file (edb.chk) records transactions committed to the AD database (ntds.dit). During shutdown, a "shutdown" statement is written to the edb.chk file. Then, during a reboot, AD determines that all transactions in the edb.log file have been committed to the AD database. If, for some reason, the edb.chk file doesn't exist on reboot or the shutdown statement isn't present, AD will use the edb.log file to update the AD database. The last file in our list of files to know is the AD database itself, ntds.dit. By default, the file is located in\NTDS, along with the other files we've discussed

What is the SYSVOL folder?

Tweet System Volume (SYSVOL) is a shared directory that stores the server copy of the domain public files (Policies and scripts) that must be shared for common access and replication throughout a domain. It must be located in NTFS volume (because junctions are used within the SYSVOL folder structure)

Name the AD NCs and replication issues for each NC

Tweet There are three predefined Naming Contexts (NC) 1. Domain Naming Context - One per domain. The domain naming context stores users, computers, groups, and other objects for that domain. All domain controllers that are joined to the domain share a full writeable copy of the domain directory partition. Additionally, all domain controllers in the forest that host the global catalog also host a partial read-only copy of every other domain naming context in the forest. 2. Configuration Naming Context - One per forest. It stores forest-wide configuration data that is required for the proper functioning of Active Directory as a directory service. Information that Active Directory uses to construct the directory tree hierarchy is also stored in the configuration directory partition, as is network-wide, service-specific

information that applications use to connect to instances of services in the forest. Every domain controller has one fully writeable copy of the configuration directory partition. 3. Schema Naming Context - One per forest. The schema naming context contains the definitions of all objects that can be instantiated in Active Directory. It also stores the definitions of all attributes that can be a part of objects in Active Directory. Every domain controller has one fully writeable copy of the schema directory partition, although schema updates are allowed only on the domain controller that is the schema operations master. You can also define your own naming context in Windows 2003 and later -called Application Partitions. Replication issues are not specific to a naming context.

What are application partitions? When do I use them

Tweet An application directory partition is a directory partition that is replicated only to specific domain controllers. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition. Application directory partitions are usually created by the applications that will use them to store and replicate data. TAPI is an example it. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command-line tool. Application directory partitions can contain any type of object, except security principals. The data in it can be replicated to different domain controllers in a forest (for redundancy, availability, or fault tolerance).

How do you create a new application partition?

Tweet You can create an application directory partition by using the create nc option in the domain management (partition management in windows 2008) menu of Ntdsutil. When creating an application directory partition using LDP or ADSI, provide a description in the description attribute of the domain DNS object that indicates the specific application that will use the partition. For example, if the application directory partition will be used to store data for a Microsoft accounting program, the description could be Microsoft accounting application. Ntdsutil does not facilitate the creation of a description. To create or delete an application directory partition The sample commands below were written for Windows Server 2008. If you're using Windows 2003, you dont need to include the ACTIVE INSTANCE NTDS

command, and you would use DOMAIN MANAGEMENT instead of PARTITION MANAGEMENT. ntdsutil: activate instance ntds Active instance set to "ntds". ntdsutil: partition management partition management: connections Connected to \\server1.contoso.com using credentials of locally logged on user. server connections: connect to server server1.contoso.com Disconnecting from \\ server1.contoso.com... Binding to server1.contoso.com ... Connected to server1.contoso.com using credentials of locally logged on user. server connections: quit partition management: list Note: Directory partition names with International/Unicode characters will only display correctly if appropriate fonts and language support are loaded Found 5 Naming Context(s) 0 - CN=Configuration,DC= contoso,DC=com 1 - CN=Schema,CN=Configuration,DC= contoso,DC=com 2 - DC=contoso,DC=com 3 - DC=DomainDnsZones,DC=contoso,DC=com 4 - DC=ForestDnsZones,DC=contoso,DC=com partition management: create nc dc=app1,dc=contoso,dc=com server1.contoso.com adding object dc=app1,dc=contoso,dc=com partition management: list Note: Directory partition names with International/Unicode characters will only display correctly if appropriate fonts and language support are loaded Found 5 Naming Context(s) 0 - CN=Configuration,DC= contoso,DC=com 1 - CN=Schema,CN=Configuration,DC= contoso,DC=com 2 - DC=contoso,DC=com 3 - DC=DomainDnsZones,DC=contoso,DC=com 4 - DC=ForestDnsZones,DC=contoso,DC=com 5 - DC=app1,DC=contoso,DC=com Create an application directory partition by using the DnsCmd command Use the following syntax: DnsCmd ServerName /CreateDirectoryPartition FQDN of partition To create an application directory partition that is named CustomDNSPartition on a domain controller that is named DC-1, follow these steps: 1. Click Start, click Run, type cmd, and then click OK. 2. Type the following command, and then press ENTER: dnscmd DC-1 /createdirectorypartition CustomDNSPartition.contoso.com

When the application directory partition has been successfully created, the following information appears: DNS Server DC-1 created directory partition: CustomDNSPartition.contoso.com Command completed successfully. Configure an additional domain controller DNS server to host the application directory partition Configure an additional domain controller that is acting as a DNS server to host the new application directory partition that you created. To do this, use the following syntax with the DnsCmd command: DnsCmd ServerName /EnlistDirectoryPartition FQDN of partition To configure the example domain controller that is named DC-2 to host this custom application directory partition, follow these steps: 1. Click Start, click Run, type cmd, and then click OK. 2. Type the following command, and then press ENTER: dnscmd DC-2 /enlistdirectorypartition CustomDNSPartition.contoso.com DNS Server DC-2 enlisted directory partition: CustomDNSPartition.contoso.com Command completed successfully.

How do you view replication properties for AD partitions and DCs?

Tweet Install Replication Monitor from Support tools, run from command line with "replmon" command, and add DC and it will show you all partitions that DC holds and all replication partners for each partition.

What is the Global Catalog?

Tweet The global catalog is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers.

How do you view all the GCs in the forest?

Tweet DSQUERY server can be used to locate global catalogs

To search the entire forest dsquery server -forest -isgc To locate global catalogs in your current (logon) domain dsquery server isgc. To locate global catalogs in a specific domain dsquery server -domain tech.cpandl.com -isgc Here, you search for global catalog servers in the tech.cpandl.com domain. You can also search for global catalog servers by site, but to do this, you must know the full site name, and cannot use wildcards. For example, if you wanted to find all the global catalog servers for Default-First-Site-Name, you would have to type dsquery server site Default-First-Site-Name. The resulting output is a list of DNs for global catalogs, such as "CN=CORPSVR02,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Configuration,DC=cpandl,DC=com"

Why not make all DCs in a large forest as GCs?

Tweet Unless you have some really bad connections that may not be able to handle the extra traffic, you should make every DC a GC. In ANY single domain forest, it is recommended and beneficial to make all DCs GCs since it has no replication impact and serves to better distribute query load.

Trying to look at the Schema, how can I do that?

Tweet Active Directory Schema Tools and Settings When existing class and attribute definitions in the Active Directory schema do not meet the needs of your organization, you can use schema-based administrative tools to modify or add schema objects. You can modify an existing attribute or add a new class or attribute to the schema to store a new type of information in the directory. The process of modifying or updating the schema is often referred to as extending the schema. In addition to using schema tools to extend the schema, you can perform most schema extensions by using customized applications or Active Directory Service Interfaces (ADSI) scripts. The following tools are associated with the Active Directory schema. Adsiedit.exe: ADSI Edit ADSI Edit is included when you install Support Tools for Windows Server 2003 and later.

ADSI Edit is a Microsoft Management Console (MMC) snap-in that uses ADSI, which uses the Lightweight Directory Access Protocol (LDAP). You can use ADSI Edit to view and modify directory objects in the Active Directory database. You can also use it to view schema directory partition objects and properties. When you open ADSI Edit, the Schema container is displayed by default. You can expand the container to view schema classes and attributes. Csvde.exe: Csvde Csvde is a command-line tool that ships with Windows Server 2003. You can use Csvde.exe to export directory information to an Excel spreadsheet or to import data from a spreadsheet into Active Directory. You can use this format only for additions to the directory. Csvde.exe cannot be used to modify or delete objects. Ldifde.exe: Ldifde Ldifde is a command-line tool that ships with Windows Server 2003. Active Directory supports the use of files that are formatted with the LDAP Data Interchange Format (LDIF) for importing and exporting information in the directory. This includes information that is stored in the schema, such as schema modifications. After an LDIF file is created, a tool such as Ldifde.exe performs the import operation by using the LDIF file for input. You can also use Ldifde.exe to add, modify, and delete directory objects; export Active Directory user and group information to other applications or services; and populate Active Directory with data from other directory services. Schmmgmt.msc: The Active Directory Schema snap-in The Active Directory Schema snap-in is an MMC snap-in in Administrative Tools that is installed automatically on all domain controllers running Windows Server 2003. However, you must register it manually before you use it for the first time. To register the Active Directory Schema snap-in, run Regsvr32 Schmmgmt.dll from the command prompt or from the Run command on the Start menu. Open MMC and add Active directory schema snap in. ADSI and Visual Basic Scripts Active Directory provides a set of interfaces that you can use programmatically to gain access to directory objects, including schema objects. ADSI conforms to the Component Object Model (COM), and it supports standard COM features. ADSI defines a directory service model and a set of COM interfaces that you can easily use with a variety of programming languages. With Microsoft Visual Basic, Scripting Edition and ADSI, you can write scripts to modify the directory in various ways, including extending the schema.

What are the Support Tools? Why do I need them?

Tweet The Windows 2003 support tools are a collection of resources with the aim of assisting administrators to simplify management tasks. These include:

troubleshooting operating systems, configuring networking and security features, managing Active Directory, and automating application deployment. With the use of these tools, the user is able to pin-point problematic issues with the system and will therefore be able to find a solution more easily. The Windows 2003 Support Tools consist of a number of command-line utilities, visual basic scripts, GUI based applications, and documents - all of which you must install from a separate application. The Support Tools are not automatically installed when you install Windows 2003; their installation isnt an option in the Windows 2003 setup. The installation program is located on the CD-ROM in the \support\tools folder and the setup file (suptools.msi) must be opened manually to initiate the installation wizard. You can also download support tool from http://www.microsoft.com/downloads/en/details.aspx?familyid=96A35011-FD83419D-939B-9A772EA2DF90&displaylang=en

What is REPLMON?
Tweet REPLMON is a GUI tool that enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication. You can use ReplMon to do the following:

See when a replication partner fails. View the history of successful and failed replication changes for troubleshooting purposes. View the properties of directory replication partners. Create your own applications or scripts written in Microsoft Visual Basic Scripting Edition (VBScript) to extract specific data from Active Directory. View a snapshot of the performance counters on the computer, and the registry configuration of the server. Generate status reports that include direct and transitive replication partners, and detail a record of changes. Find all direct and transitive replication partners on the network. Display replication topology. Poll replication partners and generate individual histories of successful and failed replication events. Force replication. Trigger the Knowledge Consistency Checker (KCC) to recalculate the replication topology. Display changes that have not yet replicated from a given replication partner. Display a list of the trust relationships maintained by the domain controller being monitored. Display the metadata of an Active Directory object's attributes. Monitor replication status of domain controllers from multiple forests.

What is ADSIEDIT?
Tweet

Active Directory Service Interfaces Editor (ADSI Edit) is a Lightweight Directory Access Protocol (LDAP) editor that you can use to manage objects and attributes in Active Directory. ADSI Edit (adsiedit.msc) provides a view of every object and attribute in an Active Directory forest. You can use ADSI Edit to query, view, and edit attributes that are not exposed through other Active Directory Microsoft Management Console (MMC) snap-ins: Active Directory Users and Computers, Active Directory Sites and Services, Active Directory Domains and Trusts, and Active Directory Schema.

What is NETDOM?
Tweet NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It is used for batch management of trusts, joining computers to domains, verifying trusts, and secure channels. You can use netdom to:

Join a computer that runs Windows XP Professional or Windows Vista to a Windows Server 2008 or Windows Server 2003 or Windows 2000 or Windows NT 4.0 domain. o Provide an option to specify the organizational unit (OU) for the computer account. o Generate a random computer password for an initial Join operation. Manage computer accounts for domain member workstations and member servers. Management operations include: o Add, Remove, Query. o An option to specify the OU for the computer account. o An option to move an existing computer account for a member workstation from one domain to another while maintaining the security descriptor on the computer account. Establish one-way or two-way trust relationships between domains, including the following kinds of trust relationships: o From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a Windows NT 4.0 domain. o From a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain to a Windows 2000 or Windows Server 2003 or Windows Server 2008 domain in another enterprise. o Between two Windows 2000 or Windows Server 2003 or Windows Server 2008 domains in an enterprise (a shortcut trust). o The Windows Server 2008 or Windows Server 2003 or Windows 2000 Server half of an interoperable Kerberos protocol realm. Verify or reset the secure channel for the following configurations: o Member workstations and servers. o Backup domain controllers (BDCs) in a Windows NT 4.0 domain. o Specific Windows Server 2008 or Windows Server 2003 or Windows 2000 replicas.

Manage trust relationships between domains, including the following operations:

What are sites? What are they used for?

Tweet Sites in Active Directory represent the physical structure, or topology, of your network. Active Directory uses topology information, stored as site and site link objects in the directory, to build the most efficient replication topology. You use Active Directory Sites and Services to define sites and site links. A site is a set of wellconnected subnets. Sites differ from domains; sites represent the physical structure of your network, while domains represent the logical structure of your organization. Read More: http://technet.microsoft.com/en-us/library/cc782048%28WS.10%29.aspx
o o

Enumerate trust relationships (direct and indirect). View and change some attributes on a trust.

Syntax
Netdom uses the following general syntaxes: NetDom <Operation> [<Computer>] [{/d: | /domain:} <Domain>] [<Options>] NetDom help <Operation http://technet.microsoft.com/en-us/library/cc772217.aspx

What is the difference between a site links schedule and interval?

Tweet Schedule enables you to list weekdays or hours when the site link is available for replication to happen in the give interval. Interval is the re occurrence of the inter site replication in given minutes. It ranges from 15 - 10,080 mins. The default interval is 180 mins.

What is the KCC?

Tweet The Knowledge Consistency Checker (KCC) is an Active Directory component that is responsible for the generation of the replication topology between domain controllers. The KCC creates separate replication topologies depending on whether replication is occurring within a site (intrasite) or between sites (intersite). The KCC also dynamically adjusts the topology to accommodate new domain controllers, domain controllers moved to and from sites, changing costs and schedules, and domain controllers that are temporarily unavailable.

What is the ISTG? Who has that role by default?

Tweet

For inter-site replication, one domain controller per site has the responsibility of evaluating the inter-site replication topology and creating Active Directory Replication Connection objects for appropriate bridgehead servers within its site. The domain controller in each site that owns this role is referred to as the Inter-Site Topology Generator (ISTG). By Default the first Server has this role. If that server can no longer perform this role then the next server with the highest GUID takes over the role of ISTG.

What are the requirements for installing AD on a new server?

Tweet Requirements for Installing AD DS

Preinstalled Windows Server 2008 or Windows Server 2008 R2. Administrative rights on server Domain Name System (DNS) infrastructure is in place. When you install AD DS, you can include DNS server installation, if it is needed. When you create a new domain, a DNS delegation is created automatically during the installation process. A NIC Properly configured TCP/IP (IP address, subnet mask and - optional - default gateway) A network connection (to a hub or to another computer via a crossover cable, loopback will also work) In order to install a read-only domain controller (RODC), there must be a writable domain controller running Windows Server 2008 or Windows Server 2008 R2 in the domain. The drives that store the database, log files, and SYSVOL folder for Active Directory Domain Services (AD DS) must be placed on a local fixed volume. SYSVOL must be placed on a volume that is formatted with the NTFS file system. Windows Server 2008 or Windows Server 2008 R2 media

What can you do to promote a server to DC if youre in a remote location with slow WAN link?
Tweet Best solution in this scenario is to install DC from media, a new feature introduced with windows 2003 server. You have to take the system state backup of current Global Catalog server, burn it on the CD/DVD and send it to the destination (remote location). On the remote server which needs to be promoted to be DC restore files to Alternate Location and Run, type dcpromo /adv. For more information please read: http://www.petri.co.il/install_dc_from_media_in_windows_server_2003.htm

How can you forcibly remove AD from a server, and what do you do later?
Tweet Dcpromo is the Windows 2000 and Windows Server 2003 GUI interface for promoting a server to the role of being a Domain Controller, and if is already a DC, then dcpromo will be the tool to use to demote it back to being a member server. If you run Dcpromo on an existing DC to demote it and it fails that you can Dcpromo with the /forceremoval switch (The big Hammer), which tells the process to ignore errors. With /forceremoval, an administrator can forcibly remove Active Directory and roll back the system without having to contact or replicate any locally held changes to another DC in the forest. After you use the dcpromo /forceremoval command, all the remaining metadata for the demoted DC is not deleted on the surviving domain controllers, and therefore you must manually remove it by using the NTDSUTIL command. For more information please read: http://www.petri.co.il/forcibly_removing_active_directoy_from_dc.htm http://www.petri.co.il/delete_failed_dcs_from_ad.htm

Can I get user passwords from the AD database?

Tweet By default user account passwords are stored as password hash (Hash is based on one-way encryption, which means you cant reverse it to get plaintext). These hashes are stored in Active Directory (C:\Windows\NTDS\ntds.dit file on DCs). If you need to get user password than you have to change the way it is stored in AD. You have store passwords ciphered with reversible encryption algorithm. To enable this option globally: 1. Select Start > Programs > Administrative Tools > Active Directory Users and Computers. 2. In the Active Directory Users and Computers window, right click on your domain and select Properties. 3. In the Group Policy tab, select "Default Domain Policy" and click Edit. 4. In the Group Policy window, navigate to Password Policy in the left-panel Tree view: Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy. 5. Right click on "Store password using reversible encryption for all users in the domain" and select Security. 6. In the Security Policy Setting window, select the "Define this policy setting" checkbox and the Enabled radio button. Click OK. 7. Close all applications and restart the computer, and log into your domain.

To enable this option for a specific user: 1. Select Start > Programs > Administrative Tools > Active Directory Users and Computers. 2. In the Active Directory Users and Computers window, right-click on the user and select Properties. 3. In the Account tab, check "Store password using reversible encryption." Click OK. 4. Close all applications and restart the computer, and log into your domain. When this is enabled (per user or for the entire domain), Windows stores the password encrypted, but in such a way that it can reverse the encryption and recover the plaintext password. This feature exists because some authentication protocols require the plaintext password to function correctly; the two most common examples are HTTP Digest Authentication and CHAP. Niels Teusink have done great research on it http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html http://blog.teusink.net/2009/08/passwords-stored-using-reversible_26.html He also developed a nice tool called RevDump to decipher this encrypted password.

What tool would I use to try to grab security related packets from the wire?
Tweet Network tap is best solution for grabbing data packet in a network. It is a hardware device which provides a way to access the data flowing across a computer network. Computer networks, including the Internet, are collections of devices, such as computers, routers, and switches that are connected to each other. Network taps are commonly used for security applications because they are nonobtrusive, are not detectable on the network, can deal with full-duplex and nonshared networks, and will usually pass-through traffic even if the tap stops working or loses power.

Name some OU design considerations.

Tweet The Group Policy architecture is flexible and allows for many types of design. The guiding principle as you design your organizational unit structure should be to create a structure that is easy to manage and troubleshoot. Delegation of authority, separation of administrative duties, central versus distributed administration, and design flexibility are important factors you'll need to consider when designing Group Policy and selecting which scenarios to use for your organization.

How you design your organizational unit structure and GPOs will depend on the administrative requirements and roles in your corporation. For example, if administrators are organized according to their duties (such as security administrators, logon administrators, and so on), you may find it useful to define these policy settings in separate Group Policy objects. Delegation of authority will depend largely on whether you use centralized or distributed administration in your corporation. Based on their particular corporate requirements, network administrators can use security groups and Discretionary Access Control List permissions to determine which administrator groups can modify policy settings in GPOs. In general, do not try to model your organizational unit structure based on your business organization. Rather, design your organizational unit structure based on how you administer your business. General guidelines for using GPOs and policy features:

Separate Users and Computers into Different organizational units Minimize the Number of Group Policy Objects Associated with Users or Computers Minimize the Use of the Block Policy Inheritance Feature Minimize the Use of the Enforce Feature Use Loopback Processing Only When Necessary Avoid Using Cross-Domain GPO Assignments Avoid Editing the Default Domain GPO