Solved

Group Policy Questions

Posted on 2008-06-16
4
329 Views
Last Modified: 2010-03-17
Hi

I have a couple of questions on group policy that I was hoping someone could help me with;

a) I have the following GPO's applied to an OU (listed in order of increasing precedence)

GPO #1
GPO #2
Default Domain Policy

Can someone tell me which policy takes priority, is it the first or the third?

b) GPO #1 has a setting

Computer configuration > Windows Settings > Security Settings > Restricted Groups

...and there are two security groups listed in this setting. Can someone tell me exactly what this setting does?

c)  I wish to have a setting whereby the GPO adds certain domain security groups to the Local Admins group. Can you tell me where I can add this setting?

We are using Windows 2003 Domain controllers, the servers are Windows 2003.

Hope someone can help!

Thanks

0
Comment
Question by:kam_uk
  • 2
4 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 350 total points
ID: 21795382
kam_uk,

a) The first policy will have priority. Any policies defined in lower priority GPOs but are not defined in the higher preference ones will also apply - but if any policies are set more than once, the ones from the first policy at the top of your list will take precedence over the ones lower down.

b) Restricted Groups is the feature you will need to use for part c) of your question. Essentially what it does is allows you to specify a security group, and then specify the groups which should be members of that security group at each workstation where the GPO applies. There's a good article on Restricted Groups at http://www.windowsecurity.com/articles/Using-Restricted-Groups.html.

To achieve part c), you would need to create a Restricted Groups policy for the "Administrators" group, and then add the correct domain security groups as part of the properties of that restricted group policy. If you check the article, you will be able to get a more detailed description of the procedure.

There's also this Technet article on Restricted Groups for your info: http://technet2.microsoft.com/WindowsServer/en/Library/156780ef-eb36-4433-b3fe-1b1a15c18f6a1033.mspx

-tigermatt
0
 
LVL 6

Assisted Solution

by:raptorjb007
raptorjb007 earned 150 total points
ID: 21795401
All three GPO's apply. However in the event two or more GPO's high conflicting settings set, the GPO with the highest precedence's setting is the one that is applied.

To better understand, GPO's are applied in a specific order, GPO's is processed in order, the last one to be processed has the highest precedence. This order is as follows(Local, Site, Domain, OU), precedence within these sections are considered but affects only its precedence within its category as listed above.

So with this in mind, local pc policies have the lowest precedence and OU policies have the highest precedence. Domain Policies apply to the entire domain, but OU policies are more specific, thus have a higher precedence and override domain policies.

For more information you can read:
Group Policy processing and precedence
http://technet2.microsoft.com/windowsserver/en/library/274e614e-f515-4b80-b794-fe09b5c21bad1033.mspx?mfr=true

0
 
LVL 3

Author Comment

by:kam_uk
ID: 21798260
Thanks guys...

Tigermatt said "b) Restricted Groups is the feature you will need to use for part c) of your question. Essentially what it does is allows you to specify a security group, and then specify the groups which should be members of that security group at each workstation where the GPO applies. There's a good article on Restricted Groups at http://www.windowsecurity.com/articles/Using-Restricted-Groups.html. "

Question - I would like to do the following that would only apply to the machines in the OU where this GPO is applied

a) I would like Domain Security Group A to be a member of the Administrators group on servers in that specific OU
b) I would like Domain Security Group B to be a member of the Power Users group on servers in that specific OU

According to the article, I would set up Administrators and Power Users as Restricted Groups on the GPO, and add Domain Security Group A and Domain Security Group B as members of the groups respectively.

Could you confirm this will only affect machines that the GPO is applied to? For instance, if I created domain\domain admins as a Restricted Group and added Domain Security Group A to it, this would not be a domain wide change?

Thanks!
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21800274
You control where the Restricted Gropus policy applies just like any other policy. Provided the policy which has restricted groups configured is ONLY linked to the OU containing your servers, the policy will only apply to that location.

All the places a policy is linked can be seen when you single-click on it in the Group Policy Management Console, it's on the first tab at the top.

-tigermatt
0

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now