[gptalk] Re: [gptalk]:Unlinking the Default Domain Policy

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Wed, 21 May 2008 14:11:15 -0700


There are certain circumstances where the Default Domain Policy is relied
upon for account policy, even if its unlinked. This might sound strange and
its only a fringe case, but I would say, best practice would not be to
unlink it. Rather, if you really don't want it to get "corrupted" then
permission it so that only a select group can edit it, make sure it is
backed up prior to any changes being made and then use another GP link, with
a higher link precedence at the domain level, to make your day-to-day
domain-based configuration changes.





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nate Bahta
Sent: Wednesday, May 21, 2008 11:46 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] [gptalk]:Unlinking the Default Domain Policy


Does anyone have any documentation or references to the Best Practice of
unlinking the Default Domain Policy and using a copy of it to avoid
corruption of the Default Domain Policy?  At my old shop we had it set up
like that and I understand why, but at my new shop they do not have it set
up like that and I would like to institute it, but I dont have any real
documentation of it being a Best Practice.  I also have found some stuff in
google groups that stated that it should not be unlinked at all.  Anybody
have any concreted evidence or any hard facts about this practice/procedure?

Other related posts: