[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Question about GPO management in Windows 2003 server

Posted on 2006-05-09
57
Medium Priority
?
250 Views
Last Modified: 2013-12-04
I installed the GPO management update a while ago and I need some clarification on what's what in the application/console. When open I have the usual tree-like directory structure on the left-hand side with Group Policy Managemnt at the top, the forest, the domain and the objects beneath it. On the right-hand side, the window is actually split into two windows. At the top is the name of the GPO with 4 tabs beneath it, "Scope,Details, Settings and Delegation" In the top "window" on the right side is displayed the various things that are linked to that GPO. Beneath that is another window with the label, "Security Filtering" and beneath that label it says, "The setings in this GPO can only apply to the following groups, users, and computers" below this is a listing of various users and a add/remove button and a property button. My question is what exactly is the list at the bottom right that was just described? Is the security filtering list the list of people, places and things that this GPO actually applies to? Or is this the list of people places things that have control of the GPO object? I thought it was the list of effected objects that the GPO effects, but when I deleted one of the users, it gave me a weird warning that made it sound like it was the other possibility that I cited above. Sometimes the wording from Microsoft is really difficult for me to understand. Excuse me for being dense.
0
Comment
Question by:dwielgosz
  • 31
  • 26
57 Comments
 
LVL 16

Accepted Solution

by:
mdiglio earned 2000 total points
ID: 16643999
Hello,
Yes you are correct this is a list of users who will receive the policies defined in the GPO.
You receive that warning message because you are removing that group/user from the policy and removing their 'Read' and 'apply group policy' permission

"Is the security filtering list the list of people, places and things that this GPO actually applies to?" YES
"Or is this the list of people places things that have control of the GPO object?" NO that is found in the delegation tab
But the delegation tab contains both

If you click the delegation tab ( then click the 'advanced' button) you will see the permissions that are applied to the users...read and/or apply group policy
and you'll see the permissions for modifying the group policy that are applied to admins and system

Anyone who has the 'apply group policy' permission in the delegation tab will be seen in the security filtering part
Removing a group/user ( if they have the 'apply group policy' permission) from either place will remove the user from the other as well
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16644008
...you don't see the admins or the system in the 'Security filtering' section because they do not have the 'Apply Group Policy' permission

Hope I didn't make it more confusing

0
 

Author Comment

by:dwielgosz
ID: 16648491
OK, clear as mud, but I do understand your explanation. Here's a little background to a problem that I'm having with all of this and I think I just realized a wrong approach to a problem that I took using the GPO manager. We have a Domain GPO and a Domain Controller GPO. Both of those have a few controls enabled in order to control Internet usage and such. I wanted to exempt a group of users from those controls so I created a GPO called, "No Group Policy" and did not configure any of it, enforced the policy and did not enable the link. By doing this I thought I was not allowing any link to other GPOs (like Domain GPO) and therefore none of the controls in the Domain GPO would effect any of the users in that group. I accessed this GPO by using the GPManager and clicking on the name of the object under the heading (in the left-hand tree) "Group Policy Objects". Before I did any of this however, I created the actual group in AD U&Cs directly under the domain and then moved the users into that group. I'm thinking that instead of going through the trouble of creating a new GPO for that "No Policy" group, I should have instead just not enabled the link to the Domain policy. Would that have worked?
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
LVL 16

Expert Comment

by:mdiglio
ID: 16649036
When you uncheck 'Link Enable' you are disabling the Group Policy from being applied to that specific OU.

Your 'No Group Policy' strategy will not work even if the link was enabled.
You already defined the policies in your 'Default Domain policy'
Applying another policy with nothing defined does not overwrite a policy that is defined.
 
As a general rule you should not edit the 'default domain policy'
I would try to keep that policy and the 'Default domain Controller policy' set to their original settings

In your case here are the steps you should take:
Create a new group policy called 'InternetUsage'
Define the settings you need
Apply this policy to the highest OU level it needs
On the delegation tab of the 'IntenetUsage' policy click the 'Advanced' button
add the users you want exempt from this policy to the ACL and select the Deny permission for Apply Group Policy for these users/groups

These are very broad steps since I don't know what policies you are defining
0
 

Author Comment

by:dwielgosz
ID: 16649215
Crap! Now i'm panicked about the default domain and DC policies because I had no idea that they shouldn't be messed with. Is there any way I can restore both to original condition?

The policies that were in effect for the domain were adding verbage to IE titlebar adding a company logo to the upper right corner of IE, forcing users through a web proxy, prohibiting access to display in the control panel, number of docs to show in recent documents, access to NIC properties, home page in IE, those types of things. Some people need to have direct access to the Internet though and those were in the No GP group.. Is there a safe way to start over without reinstalling the OS which cannot be done?
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16649612
Sorry...No you don't have to be panicked about editing them.
And there is defintely no need to start over!
The policies you changed can be easily reverted
Just in the future try not to do it especially to the 'Default Domain Policy'

This part is up to you...
1) you can create seperate policies for each specific task. One for InternetExplorer one for control panel etc
2) You can place all of these policies into one policy and link it to the domain root

I like #1 it takes more time up front and there will be more policies to manage but it makes it easier to control, change and do security filtering in the future
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16649702
If you choose the 1st method you will end up with multiple GPOs
I would then apply the policies to the highest OU necessary.
For example if the policy is a user configuration policy then I would apply it to the OU that contains the users; same for computers
0
 

Author Comment

by:dwielgosz
ID: 16649864
so the display properties GPO would be applied to the computers object and under delegates I can add those PCs that should be exempt? Is that what you're saying?
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16649934
Yes that is the concept, you would add the users and then set Deny for the 'Apply group Policy' permission.

However isn't prohibiting access to display in the control panel a user policy?
If so then it would be applied to the users OU instead of the computers ( as you mentioned in your example )
0
 

Author Comment

by:dwielgosz
ID: 16649972
So what about the policies that are there now? Can I get rid of all of them except those two, default domain and DC? Should I reset those somehow?
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16650018
What policies do you have?
I thought you only had 3 and that you defined all of the changes in you default domain policy
Default domain
default domain controllers
No policy
0
 

Author Comment

by:dwielgosz
ID: 16650093
There's one for the shop, one for estimating, engineering, four others total. Other times I have deleted a policy, or disabled and some users would have their PCs act as if they were logging in for the first time..you know, they'd get a box at login that you usually get the 1st time hat you login. Welcome to windows or some crap like that. It wasn't really a big deal just a bunch of stupid questions. Sorry. Let me see if i understand correctly. The default domain policy is always in place and effecting everyone and these others just act as modifiers, if you excuse my english, to those policies? Isn't that reason why it's important to return the default dc and domain policies to their virgin states?
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16650222
Yes that is it exactly!!
If everything was in that policy or any one policy and you wanted to exclude a user/group from a particular setting you would have to exclude them from everything in that policy

Please don't get overly worried about the default domain policy. be sure you only undo the items you touched.
Were I work we have had our Default Domain Policy edited

So you have Group Policy Objects called shop, estimating and engineering;
Or are these Organizational Units ?

0
 

Author Comment

by:dwielgosz
ID: 16650290
OUs and there were GPs created for each with basicly the same settings except for a tweak here and there. I should undo any and all changes to the default dc&domain regarding internet or display etc? I never did anythiing with any of the others like security or such. I believe the changes all were in the admin templates folderin each GPO
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16650413
From the GPMC perform a backup of you Group Policies before making anymore changes.
Yes you can undo those changes you made when you are ready.
Again, only undo what you know you changed. There is no immediate harm with what you did its just not best practice
You might want to wait until we have the other policies in place and ready to go.

Do I have this right ? ....
You have other Group Policies in place and they are working fine.
You just wanted to create some new ones and have them affect everyone and that is why you placed it a the domain root level
0
 

Author Comment

by:dwielgosz
ID: 16650488
six total including the two default. The policies weren't impacting things the way I had expected so I knew there was something wrong with the config. I know the new manager is supposed to be so much better than the old way, but the old way was a heck lot easier for me than this new manager. I would like to clean things up and do it the way you layed out in Option #1 which I do understand. I will have to come back to this in an hour though because of a meeting.
0
 

Author Comment

by:dwielgosz
ID: 16651639
I went through the default domain policy and set it with all the restrictions needed. Now do I create...do I have this backwards? which policy do I put the restrictions in the additional one or the dd policy?
0
 

Author Comment

by:dwielgosz
ID: 16651969
Are you around still? I'm sorry but this doesn't make sense to me. I put the restrictions in the default domain policy and then create another policy with just those restrictions in it, but add the exempt users and then deny the "apply group policy" permissions. Is that correct?
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16652255
"I went through the default domain policy and set it with all the restrictions needed"
You should not have set anything in the default domain policy, I thought you were going to undo the changes you made there.

once that is done then you will create new policies lets say you create one called "ControlPanelDisplay"
In this you would edit the user settings that you need this particular one can be found here:
User configuration > administrative templates > control > Display > Remove Display in Control Panel

now since this is a user setting it must be applied to an OU that contains Users or it can be applied to the domain root level.

Lets say you apply it to an OU called engineering but there is one user in this OU that you DO NOT want this policy to be applied
You would go to the delegation tab > click the 'Advanced' button and then add this user > and set the 'Apply Group Policy' permission to denied

I hope this made sense
If not maybe you can give me a rough layout of the domain OU structure and let me know where the users reside and where the computers reside
e.g.
MyDomain
     -Engineering
          -EngineeringUsers  (ou for Engineering Users)
          -EngineeringComputers  
     -Shop          
          -ShopUsers
          -Shopcomputers (OU for Shop computers)
0
 

Author Comment

by:dwielgosz
ID: 16652319
OK Thanks, back to the default domain policy to undo. Does the default domain policy automaticly apply to the entire domain, or do I need to make sure that it applies to every OU in the domain?
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16652500
Hello,
That policy will apply to the entire domain unless you have specifically blocked it
The same goes for every other GPO you create. By default they will filter down to the sub OUs

So using the rough layout in my last post if you created a policy at MyDomain called 'ControlPaneldisplay'
This policy will be enabled in all the OUs below it and all the OU's below them...etc

You can verify this by opening the GPMC > click on an OU > on the right side click on the tab called 'Group Policy Inheritance'
0
 

Author Comment

by:dwielgosz
ID: 16652526
got that, I'm trying to edit, side by side right now. I'll report back when I'm finished.
0
 

Author Comment

by:dwielgosz
ID: 16652790
I have the default domain policy pretty much back where it was out of the box. I have also a new GPO called, "internet restrictions and the only part of the GPO that I have customized are the rules regarding the internet. By default it is applied to authenticated users..bottom right window. I also added "users". When i went into delegation, I saw that domain admins is in there. Should I then deny permission for the domain admins?
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16653105
No You do not want to deny permissions for the Domain Admins.
If you look closer they do not have the 'Apply Group Policy' permission so they are not
affected by the policy.

They are placed there by default so they can edit and change the settings of the group policy.
0
 

Author Comment

by:dwielgosz
ID: 16658900
are you around today?
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16659008
yep
0
 

Author Comment

by:dwielgosz
ID: 16659073
I'm in the home stretch here, can I get a little more help from you?
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16659107
Of course you can.
0
 

Author Comment

by:dwielgosz
ID: 16659335
Thanks. here's what I have. I have gone over each of the remaining GPOs with the fine tooth comb and they are clean. I have four GPOs left
default Domain controller
Default Domain policy
Internet Restrictions
No Policy Group

The last one was created to exempt users from internet restrictions and therefore with the new plan of yours, will not be needed and can be deleted. But I want to enable the Internet restriction first otherwise some users will be forced through the proxy which I do not want. The default domain policy is not enabled, all the others are. I would like to first make sure that the first two are correctly established before I do anything with the other two.

Starting with Default DC Policy:
It is enabled
In Scope>Locations i have "domain controllers"
In Security Filtering I have my username and domain admins
In delegation I have
authenticated users>>>custom>>>no
my username>>Read from Security Filtering>>no
domain admins>>edit settings,delete,modify security>>no
enterprise admins>>same as above>>no
ent. domain controller>>Read>>no
system>>edit settings,delete, modify security>>no


Does that look correct?
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16659424
Looks almost like mine, just one difference
I can't say how original my defaultDC policy is but I don't think this part of it has been changed
I have
authenticated users>>>read>>>no

If you click the advanced button in the delegation tab you can see the permissions they have
0
 

Author Comment

by:dwielgosz
ID: 16659530
A side issue question:

I have noticed that if I create a group "electrical" and add users to it, it does not show up in the GPO Manager as a OU. If I create an OU called "Electrical" it does show up in GP Manager. If I want to organize users into a group for the purpose of applying a GP, then should I do it in a OU and not a Group?
0
 

Author Comment

by:dwielgosz
ID: 16659618
Authenticated users has a "special permission" that is not inherited. Upon deeper investigation here's what i see:

This object and all child objects permissions
all these are "allow"
list contents
read all properties
write all properties
read permissions
all validated writes
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16659647
If you created a group then no it will not show up anywhere as an OU.

You have the right idea...
To organize users into group to apply group policies you need to use Active Directory Users and Computers
to create the group. Then you can add that group to the security filtering section or the delegation tab on any GPO from the GP Manager
0
 

Author Comment

by:dwielgosz
ID: 16659696
But that's the point of what I was saying about an OU versus a group. When I try to add a group I created in AAD in the Sec. Filtering part I cannot find that group in the list after opening the ADD interface. I can see the OU I created though.
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16659732
The authenticated group in my DefaulDC does not have the
write all properties
all validated writes
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16659751
Ohh I understand what you meant now.
When you browse for the group what object types are listed
After you click the 'ADD' button you should see this info
0
 

Author Comment

by:dwielgosz
ID: 16659796
as far as the permissions for the authenticated users is concerned, I would think I'll be OK with those two. It would be a different story if it were a deny perm. I will proceed.
0
 

Author Comment

by:dwielgosz
ID: 16659842
If you highlight the default domain controller policy (or any for that matter) and on the right-hand side have the Scope tab selected, the top window is labeled "Links". Two lines below the word Links is a line that reads,

"The following sites, domains, and OUs are linked to this GPO:"

Absent is the word "Group"
0
 

Author Comment

by:dwielgosz
ID: 16660048
What i have done is gone through AD users and computers and sorted out the users and put them into all OUs. i got rid of a couple of groups that were now empty and had been created only for applying special GPs and are no longer needed.
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16660230
Absent is the word "Group"
You cannot link a GPO to a group.
You can only link GPOs to sites, domains, and OUs.

However, you can say wether or not a GPO is applied to a group or a user.
That is where the security filtering/delegation comes into play
0
 

Author Comment

by:dwielgosz
ID: 16660315
How can you apply it to a group using the Security Filtering interface if you cannot find it and select it from the available list?
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16660386
That is defintely an issue.
You should be able to see groups when you click the 'ADD' button

When you browse for the group what object types are listed?
After you click the 'ADD' button you should see this info at the top of the 'Selct User, Computer or Group' Dialog box

Under 'Select this object type' mine says
'User, Group, or Built-in security principal'
0
 

Author Comment

by:dwielgosz
ID: 16661018
what version of windows server are you looking at?
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16661782
Windows 2003 sp1
0
 

Author Comment

by:dwielgosz
ID: 16662068
sheesh! I typed out a long description and sent it and it somehow went POOF
0
 

Author Comment

by:dwielgosz
ID: 16662087
I wonder if EE is having problems because it was forcing me off and I had to re-login like 5 times.
0
 

Author Comment

by:dwielgosz
ID: 16662146
Here goes again:

Default Domain policy
Scope tab:
4 groups that I had created when the domain was a win2k domain (and server)
our domain
Links enabled to all of them, but "enforced" on one of the groups and the domainitself.

security filtering:
administrator
domain admins
users

Delegation:

administrator,     edit settings, delete, modify security       NO
domain admins,   same as above,                                   NO
enterprise admins, same as above,                                 NO
system,               same as above,                                   NO
ENTERPRISE DOMAIN CONTROLLERS,  rEAD,                   NO
Users,                 Read(from security filtering)                 NO

shouldn't all of the groups and OUs be in the scope of this policy? Mine are not.
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16662288
I'm having a hard time understanding the question.
The scope of this policy should be your domain
For security filtering you would not have to see all the groups because there is a Users group that has the 'Apply Group Policy' permission

If you wanted to deny a particular group from receving this policy then you would have to add them and that group wil be visible.
I'm not saying to go ahead and deny anyone from the default domain policy...just covering the bases
0
 

Author Comment

by:dwielgosz
ID: 16662362
I apologize. I've been using OUs like groups and that's where all this confusion is coming from. All of the "Groups" as I referred to them, are actually OUs that is why they are showing up in the Scope part of GP manager under links. let me get this straightened out first. Let me ask you this first. Are you saying that the only item that should show up under Scope/Links for the default domain policy is the actual domain itself?
0
 

Author Comment

by:dwielgosz
ID: 16662533
So should I have the users in groups and not OUs? For like 6 years I've had OUs with users moved into them (by department) and then I was assigning GPs to those OUs.
0
 

Author Comment

by:dwielgosz
ID: 16662551
I have a couple of distribution groups that I use for mailings also.
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16662570
Yes on a standard installation where no one has changed inheritance the default domain policy is applied at the domain level.
You should see it on the left side in the tree structure right under your domain.

If nothing is set to blobk inheritance then it is going to be applied to every OU.
You can verify this by clicking on any OU in the tree and viewing the 'Group Policy Inheritance' tab
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16662648
"So should I have the users in groups and not OUs? For like 6 years I've had OUs with users moved into them (by department) and then I was assigning GPs to those OUs."

No that way is fine. My users are in OUs as well.
but they are also members of Domain User, Authenticated Users etc.
These are the groups that have default permissions to Group Policy Objects.
So by default every Group Policy applies to every user in your domain if it is linked directly to or above the OU with that has the users in it.

The only time you would need to create a group is if you wanted to deny a specific group policy to a number of users.
You would put those users in a group then in the delegation tab add that group and choose 'Deny' for the 'Apply Group Policy' permission
0
 

Author Comment

by:dwielgosz
ID: 16662812
where is the users' actual little icon reside on your serv? Is it in the OU then or in the Users built-in?
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16663083
I think its time we closed this question.
We have been straying very far off from it's original intent.

I put my users in OUs. The built-in Users container and Computers container cannot have group policies applied to it.

I also redirect computers to another OU so when a new computer joins the domain they will instantly have our SP2 firewall and WSUS policy
page41 of this downloadable document will show you how if you are interested
Download chapter 9 from here...look for "Upgrading Windows 2000 Domains to Windows Server 2003 Domains"
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe

How to Implement Group Policy Security Filtering
http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html
0
 
LVL 16

Expert Comment

by:mdiglio
ID: 16669224
Hey just found a good tutorial on security filtering if you are interested:
http://www.adminprep.com/articles/default.asp?action=show&articleid=86
0
 

Author Comment

by:dwielgosz
ID: 16682061
I'm sorry if I'm asking too many questions. That's how these questions often are with one answer bringing other questions to mind. Thanks for the help that you have given me and wish you the best.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses
Course of the Month18 days, 9 hours left to enroll

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question