Avoid Overuse of Protected Groups
protected groups, user rights, PDC Emulator
Protected groups are special built-in groups that are used to assign administrative rights to users. These groups include:
Enterprise Admins
Schema Admins
Domain Admins
Account Operators
Sever Operators
Backup Operators
Print Operators
and a few others. If you want to assign someone certain privileges on your server, you can make them a member of the appropriate protected group. For example, to give someone the right to back up files on your server you simply make them a member of Backup Operators.
This sound like a great idea but too much of a good thing can be bad (as I know from experience the time I ate a whole pecan pie for desert–I was sick afterwards). The problem is that Active Directory keeps an eye on these groups to make sure that no-one changes the rights they have or the permissions they have on resources. AD does this by creating a special thread called AdminSdHolder/DsPropagator and running this thread once each hour.
So what can go wrong with that? Well, if you have a lot of user accounts that are members of different protected groups, then once each hour you may see the CPU utilization on your PDC Emulator domain controller go to 100% for a period of time as this thread does it’s housekeeping work. If you see this happening, you need to either (a) move your PDC Emulator role to a beefier machine, or (b) reduce the number of members of your protected groups.
In fact, apart from Enterprise/Schema/Domain Admins, you may not want to use the other protected groups at all and instead create your own security groups and assign the necessary rights to these groups by configuring the appropraite Security Settings/Local Policies/User Rights Assignment setting in Group Policy. These groups you create yourself for backup, restore, printer, accounts and other second-tier administration purposes will not have any effect on the CPU utilization of your PDC Emulator.
Article written by MyComputerAid.com
2003 server - Sep 30, 2008 22:34 - 0 Comments
instant messaging srv records
More In Computers & PC
- Howto secure wordpress
- Simple wordpress upgrade from SSH howto
- permanently delete your facebook account
- Creating a Sound File
- Talking to the Mouse
Microsoft Outlook - Mar 22, 2009 11:22 - 0 Comments
Outlook: Duplicates in Mailbox
More In Computers & PC
- Howto secure wordpress
- Simple wordpress upgrade from SSH howto
- permanently delete your facebook account
- Creating a Sound File
- Talking to the Mouse
Microsoft Desktop, Web browsers and Internet, Windows 2000, Windows 7, Windows 98, Windows Firewall and networking, Windows Vista, Windows XP - Feb 8, 2010 18:09 - 0 Comments
Disable Proxy settings in IE
More In Computers & PC
- Howto secure wordpress
- Simple wordpress upgrade from SSH howto
- permanently delete your facebook account
- Creating a Sound File
- Talking to the Mouse
Leave a Reply
You must be logged in to post a comment.