• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 423
  • Last Modified:

Apply GPO to a Security Group in Windows 2003

I made a script to transfer some files to the local user's disk at logon, placed it in NETLOGON,
Created a TEST OU, and a user testusr. Linked the OU to the GPO, Placed testusr into the OU and it worked fine.
Since my goal is to include selected users from different OU's in the GPO enforcing, i created a security group testgrp, made testusr a member of this group, moved testgrp into TEST (the OU), and gave it Read & Apply GPO permissions, and then moved testusr back to the users folder (no OU), so that the GPO would be enforced at logon of any member of testgrp. After waiting for gpupdate for several hours, it still doesn't work.
Since it worked fine for an individual user, obviously the problem lies in the assigning the GPO to testgrp. Did i miss any step ??
0
jsonnenvzla
Asked:
jsonnenvzla
  • 4
  • 3
  • 2
  • +2
1 Solution
 
Network_Data_SupportCommented:
in group policy edito select the gpo object and then go to delegate add the security group to that
0
 
Network_Data_SupportCommented:
also under scope you want to add the group to that
0
 
Shift-3Commented:
Despite the name, Group Policy does not apply directly to security groups.  Placing a security group in an OU has no effect on the members of the group.

To accomplish what you want you could instead apply the GPO at the domain level, then go to the GPO's Delegation tab, add Read permission for the desired security group, and remove access from Authenticated Users and any other groups for which you do not want the policy to apply.  This way the policy will apply to all users but only the ones in the specified group will have permission to run it.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Shift-3Commented:
Correction: as Network_Data_Support said, the permissions should be added under Security Filtering on the Scope tab, not on the Delegation tab.
0
 
Network_Data_SupportCommented:
i said as you said at first and the realized
0
 
KCTSCommented:
To clarify:
Group policies are NOT applied to groups - they are applied to OUs.

The COMPUTER setiings are applied based on the OU that the computer account is in.

The USER settings are applied based on the OU that the user account is in.

The OU that any group that the user or computer is a member of has no effect.

You can use filtering - but use it with reserve - it can get messy see http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html
0
 
jsonnenvzlaAuthor Commented:
thanks friends for your prompt replies.
I Created a domain level GPO, added the security group, checked the delegation settings, but nothing happened. Pls tell me:
1.- how long do i have to wait after modifying a GPO?
2.- would gpupdate /force really update inmediately ?
3.- if I modify the script do i have to re-add it to the gpo ?
4.- is it correct to store the script in the netlogon share ?
5.- when i add the script to the gpo there's a button "show files", it shows a path inside netlogon,  related to an object, but it shows nothing there
6.- Having the GPO linked at domain level means the scope includes the security group no matter the OU where it's located ?
7.- What's the meaning of the GPO setting "Enforced" ? I'm leaving it set at "NO"

0
 
Jay_Jay70Commented:
1.) gpupdate /force on a client will push it straight away. otherwise standard update time is 90 mins from memory
2) see 1
3) no its all integrated
4) yes, means it will replicate
5) not sure what you mean exactly
6) yes, thats correct
7) by default it will apply whether or not thats ticked.

Filtering is perfectly fine to use, its the cleanest, simplest and most efficient way of doing it as well as being the reccomended way by ms so dont worry about not using it!
0
 
Network_Data_SupportCommented:
have you added the group to security filtering under scope options of the GPO? you will need to do this for it to apply to the group.

delegating just give users rights to modify the GPO
0
 
Shift-3Commented:
7. "Enforced" is the setting which was formerly known as "No Override".  It prevents settings in the GPO from being overwritten by those in other GPOs.  It also trumps "Block Inheritance".

It's best not to use it unless you have to.
0
 
jsonnenvzlaAuthor Commented:
OK, i finally made it. The tricky part is that i'm implementing a logon script. The GPO was being executed according to your instructions, but the system could not find the script file per se.
The only way to make it work was to drag the .cmd file into the policies's script folder. When you are adding the logon script to the policy, there's a button "Show Files", which shows which scripts are associated with the GPO. There's to ways to put the script there, either copying the object ID of the policy to locate the folder via explorer (ugly), or dragging the file into this "Show Files" window and then selecting it. After dragging, the script name stays without a path, but having the script dragged to this container, makes it available for the GPO. giving it a path from outside this container didn't work. I solved my problem, but would like to hear some other peoples experiences, since im not sure it's the correct way to do this

0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now