Solved

Security groups for GPOs

Posted on 2004-09-11
1
380 Views
Last Modified: 2012-05-05
When we create organizational units and I want to apply GPOs to objects contained in them (for example users or computers), I have realized that if we do not want to apply the policy to special users (Help desk users, admistrators, etc) when they log in that computers (to complete maintenance tasks) it is necessary to use GPO filtering to avoid it.  that force to create a group with same objects that are contained in that OU to  APPLY and READ checkboxes only for that group. We remove authenticated users of the list. In that way when an IT user log in he has not problem with the computer. I don´t understand very well this. We have to create the same groups with the users or computer which are incluided in the container? . Is that correct ?. Is it a good idea and practice to deny APPLY and READ GPOs for these special groups of administrators ?




0
Comment
Question by:intentalo69
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 85

Accepted Solution

by:
oBdA earned 250 total points
ID: 12035146
In my opinion, your approach is correct; I don't like the "Deny" approach, neither for NTFS nor for GPOs. What I usually do is to gather the GPOs in a top-level OU, then create a dedicated security group for each GPO, named something like GPol-<GPOName>; the Read and Apply permissions are removed from the Authenticated Users, and applied to the group instead. That way, you can easily find your GPOs, instead of having to search for them in several different OUs, and you have easy control about who gets which policies applied. If you combine that with the GPO priority, you can avoid duplicate settings in different GPOs, depending on your needs.
In addition, I separate the computer and user settings in different GPOs; you can then disable the User configuration part of the GPO in machine GPOs, and vice versa.
Whether that approach works for you depends of course on your organisation, and if you want to delegate control over OUs to other users, and the air humidity.
Another good idea is the use of the Group Policy Management Console; that makes the administration a bit easier.
Enterprise Management with the Group Policy Management Console
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question