Friday 5 October 2007

SBS - Group Policy and "Tattoos"

When we need to setup Organizational Units (OUs) and Group Policy Objects (GPOs) for a client's particular Active Directory security needs, we need to be aware that security structures implemented via Group Policy can be permanent.

We call this a "Group Policy Tattoo".

The Tattoo is one of the main reasons why it is important to test out Group Policy setups either virtually with Undo Disks enabled, or at least via a Test OU on the production box with a disposable PC or laptop.

Why does the physical PC or laptop need to be disposable?

Because, if we make a Group Policy setting mistake or things do not work out as we expected, then we can reinstall and start again.

Given the amount of time needed to reinstall the physical machine every time something doesn't work out the way we expect it, there is a pretty clear justification for having that TechNet Plus subscription with your TechNet Eval versions of SBS, XP, and Vista boxes virtually installed on a dedicated Virtual Server box. Having the UnDo Disks feature enabled means that there is an ability to go back to the system state before the GP changes with a minimal wait time.

Here is a link to Darren of's excellent article explaining some of the finer details of Group Policy "Tattooing".

It always pays to keep in mind that when we are considering the possibility of setting restrictive GPOs in place that they may be permanent.

This is especially important for the client to understand as systems that are affected by the restrictive GPOs when placed in the respective OU may need to be reinstalled to defaults if they are to be moved to another OU or location at a later date.

Darren also has another excellent post on Restricted Groups policy and their caveats that is worth a read.

It is important to reiterate: If we mess up a client's production setup with an OU/GPO gaff, we may be on the hook for a huge amount of time to repair the damage.

As always: Test ... test ... test!

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.


stryqx said...

One way to prevent Policy Tattooing for Preferences is to use something like Desktop Standard's (now a Microsoft subsidiary) PolicyMaker Registry Extension.

This allows for any custom registry setting to be set in a way the prevents tattooing.

The best part is PolicyMaker Registry Extension is free!

Philip Elder Cluster MVP said...

All I can say is, "Wow!"

This definitely warrants further investigation.

Thanks for that.