• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 381
  • Last Modified:

Group Policy Questions

Hi

I have a couple of questions on group policy that I was hoping someone could help me with;

a) I have the following GPO's applied to an OU (listed in order of increasing precedence)

GPO #1
GPO #2
Default Domain Policy

Can someone tell me which policy takes priority, is it the first or the third?

b) GPO #1 has a setting

Computer configuration > Windows Settings > Security Settings > Restricted Groups

...and there are two security groups listed in this setting. Can someone tell me exactly what this setting does?

c)  I wish to have a setting whereby the GPO adds certain domain security groups to the Local Admins group. Can you tell me where I can add this setting?

We are using Windows 2003 Domain controllers, the servers are Windows 2003.

Hope someone can help!

Thanks

0
kam_uk
Asked:
kam_uk
  • 2
2 Solutions
 
tigermattCommented:
kam_uk,

a) The first policy will have priority. Any policies defined in lower priority GPOs but are not defined in the higher preference ones will also apply - but if any policies are set more than once, the ones from the first policy at the top of your list will take precedence over the ones lower down.

b) Restricted Groups is the feature you will need to use for part c) of your question. Essentially what it does is allows you to specify a security group, and then specify the groups which should be members of that security group at each workstation where the GPO applies. There's a good article on Restricted Groups at http://www.windowsecurity.com/articles/Using-Restricted-Groups.html.

To achieve part c), you would need to create a Restricted Groups policy for the "Administrators" group, and then add the correct domain security groups as part of the properties of that restricted group policy. If you check the article, you will be able to get a more detailed description of the procedure.

There's also this Technet article on Restricted Groups for your info: http://technet2.microsoft.com/WindowsServer/en/Library/156780ef-eb36-4433-b3fe-1b1a15c18f6a1033.mspx

-tigermatt
0
 
raptorjb007Commented:
All three GPO's apply. However in the event two or more GPO's high conflicting settings set, the GPO with the highest precedence's setting is the one that is applied.

To better understand, GPO's are applied in a specific order, GPO's is processed in order, the last one to be processed has the highest precedence. This order is as follows(Local, Site, Domain, OU), precedence within these sections are considered but affects only its precedence within its category as listed above.

So with this in mind, local pc policies have the lowest precedence and OU policies have the highest precedence. Domain Policies apply to the entire domain, but OU policies are more specific, thus have a higher precedence and override domain policies.

For more information you can read:
Group Policy processing and precedence
http://technet2.microsoft.com/windowsserver/en/library/274e614e-f515-4b80-b794-fe09b5c21bad1033.mspx?mfr=true

0
 
kam_ukAuthor Commented:
Thanks guys...

Tigermatt said "b) Restricted Groups is the feature you will need to use for part c) of your question. Essentially what it does is allows you to specify a security group, and then specify the groups which should be members of that security group at each workstation where the GPO applies. There's a good article on Restricted Groups at http://www.windowsecurity.com/articles/Using-Restricted-Groups.html. "

Question - I would like to do the following that would only apply to the machines in the OU where this GPO is applied

a) I would like Domain Security Group A to be a member of the Administrators group on servers in that specific OU
b) I would like Domain Security Group B to be a member of the Power Users group on servers in that specific OU

According to the article, I would set up Administrators and Power Users as Restricted Groups on the GPO, and add Domain Security Group A and Domain Security Group B as members of the groups respectively.

Could you confirm this will only affect machines that the GPO is applied to? For instance, if I created domain\domain admins as a Restricted Group and added Domain Security Group A to it, this would not be a domain wide change?

Thanks!
0
 
tigermattCommented:
You control where the Restricted Gropus policy applies just like any other policy. Provided the policy which has restricted groups configured is ONLY linked to the OU containing your servers, the policy will only apply to that location.

All the places a policy is linked can be seen when you single-click on it in the Group Policy Management Console, it's on the first tab at the top.

-tigermatt
0

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now