Solved

Group Policy Questions

Posted on 2008-06-16
4
349 Views
Last Modified: 2010-03-17
Hi

I have a couple of questions on group policy that I was hoping someone could help me with;

a) I have the following GPO's applied to an OU (listed in order of increasing precedence)

GPO #1
GPO #2
Default Domain Policy

Can someone tell me which policy takes priority, is it the first or the third?

b) GPO #1 has a setting

Computer configuration > Windows Settings > Security Settings > Restricted Groups

...and there are two security groups listed in this setting. Can someone tell me exactly what this setting does?

c)  I wish to have a setting whereby the GPO adds certain domain security groups to the Local Admins group. Can you tell me where I can add this setting?

We are using Windows 2003 Domain controllers, the servers are Windows 2003.

Hope someone can help!

Thanks

0
Comment
Question by:kam_uk
  • 2
4 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 350 total points
ID: 21795382
kam_uk,

a) The first policy will have priority. Any policies defined in lower priority GPOs but are not defined in the higher preference ones will also apply - but if any policies are set more than once, the ones from the first policy at the top of your list will take precedence over the ones lower down.

b) Restricted Groups is the feature you will need to use for part c) of your question. Essentially what it does is allows you to specify a security group, and then specify the groups which should be members of that security group at each workstation where the GPO applies. There's a good article on Restricted Groups at http://www.windowsecurity.com/articles/Using-Restricted-Groups.html.

To achieve part c), you would need to create a Restricted Groups policy for the "Administrators" group, and then add the correct domain security groups as part of the properties of that restricted group policy. If you check the article, you will be able to get a more detailed description of the procedure.

There's also this Technet article on Restricted Groups for your info: http://technet2.microsoft.com/WindowsServer/en/Library/156780ef-eb36-4433-b3fe-1b1a15c18f6a1033.mspx

-tigermatt
0
 
LVL 6

Assisted Solution

by:raptorjb007
raptorjb007 earned 150 total points
ID: 21795401
All three GPO's apply. However in the event two or more GPO's high conflicting settings set, the GPO with the highest precedence's setting is the one that is applied.

To better understand, GPO's are applied in a specific order, GPO's is processed in order, the last one to be processed has the highest precedence. This order is as follows(Local, Site, Domain, OU), precedence within these sections are considered but affects only its precedence within its category as listed above.

So with this in mind, local pc policies have the lowest precedence and OU policies have the highest precedence. Domain Policies apply to the entire domain, but OU policies are more specific, thus have a higher precedence and override domain policies.

For more information you can read:
Group Policy processing and precedence
http://technet2.microsoft.com/windowsserver/en/library/274e614e-f515-4b80-b794-fe09b5c21bad1033.mspx?mfr=true

0
 
LVL 3

Author Comment

by:kam_uk
ID: 21798260
Thanks guys...

Tigermatt said "b) Restricted Groups is the feature you will need to use for part c) of your question. Essentially what it does is allows you to specify a security group, and then specify the groups which should be members of that security group at each workstation where the GPO applies. There's a good article on Restricted Groups at http://www.windowsecurity.com/articles/Using-Restricted-Groups.html. "

Question - I would like to do the following that would only apply to the machines in the OU where this GPO is applied

a) I would like Domain Security Group A to be a member of the Administrators group on servers in that specific OU
b) I would like Domain Security Group B to be a member of the Power Users group on servers in that specific OU

According to the article, I would set up Administrators and Power Users as Restricted Groups on the GPO, and add Domain Security Group A and Domain Security Group B as members of the groups respectively.

Could you confirm this will only affect machines that the GPO is applied to? For instance, if I created domain\domain admins as a Restricted Group and added Domain Security Group A to it, this would not be a domain wide change?

Thanks!
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21800274
You control where the Restricted Gropus policy applies just like any other policy. Provided the policy which has restricted groups configured is ONLY linked to the OU containing your servers, the policy will only apply to that location.

All the places a policy is linked can be seen when you single-click on it in the Group Policy Management Console, it's on the first tab at the top.

-tigermatt
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Pop culture is prime bait for hackers seeking to infect user’s computers and mobile devices with malicious malware. Hackers know exactly what the latest trends are online and know how to use them to their advantage.
Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question