[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 738
  • Last Modified:

Using a security group to deny access to default domain policy

I have automatic updates configured in our default domain policy and i'd like to exclude our production servers from it.  I set up a security group and added all the computer accounts for the servers I want excluded.  Then I added that security group to the group policy and checked deny apply policy.  When I doa gpupdate and gpresult it still shows that it's applying the default domain policy.  on the other hand, if I add just a single machine account to the ACL of the default domain policy and check the deny apply group policy it works as expected.  when I run gpresult it shows that it's been blocked by the ACL.  

Why won't this work with a security group containing the machine accounts?
0
shanna1017
Asked:
shanna1017
1 Solution
 
jss1199Commented:
Hi shanna1017,

Group policies are applied to OUs and only affect Computer or User objects within the OU (or a child OU) - They are not applied to Security or Distro Groups.

You should create a seperate OU for your production servers to be placed in and then block inheritance of the default GPO to that OU.

Cheers!
0
 
shanna1017Author Commented:
I'm not trying to apply a group policy to a security group, I'm trying to filter based on a security group.  I thought that was allowed.  

I will give your suggestion a try.
0
 
Jay_Jay70Commented:
Hi shanna1017,

you can use security filtering based on security groups as long as the groups is under the same OU

http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/filter.mspx?mfr=true

Cheers!
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now