Solved

Group Policy Questions

Posted on 2008-06-16
4
357 Views
Last Modified: 2010-03-17
Hi

I have a couple of questions on group policy that I was hoping someone could help me with;

a) I have the following GPO's applied to an OU (listed in order of increasing precedence)

GPO #1
GPO #2
Default Domain Policy

Can someone tell me which policy takes priority, is it the first or the third?

b) GPO #1 has a setting

Computer configuration > Windows Settings > Security Settings > Restricted Groups

...and there are two security groups listed in this setting. Can someone tell me exactly what this setting does?

c)  I wish to have a setting whereby the GPO adds certain domain security groups to the Local Admins group. Can you tell me where I can add this setting?

We are using Windows 2003 Domain controllers, the servers are Windows 2003.

Hope someone can help!

Thanks

0
Comment
Question by:kam_uk
  • 2
4 Comments
 
LVL 58

Accepted Solution

by:
tigermatt earned 350 total points
ID: 21795382
kam_uk,

a) The first policy will have priority. Any policies defined in lower priority GPOs but are not defined in the higher preference ones will also apply - but if any policies are set more than once, the ones from the first policy at the top of your list will take precedence over the ones lower down.

b) Restricted Groups is the feature you will need to use for part c) of your question. Essentially what it does is allows you to specify a security group, and then specify the groups which should be members of that security group at each workstation where the GPO applies. There's a good article on Restricted Groups at http://www.windowsecurity.com/articles/Using-Restricted-Groups.html.

To achieve part c), you would need to create a Restricted Groups policy for the "Administrators" group, and then add the correct domain security groups as part of the properties of that restricted group policy. If you check the article, you will be able to get a more detailed description of the procedure.

There's also this Technet article on Restricted Groups for your info: http://technet2.microsoft.com/WindowsServer/en/Library/156780ef-eb36-4433-b3fe-1b1a15c18f6a1033.mspx

-tigermatt
0
 
LVL 6

Assisted Solution

by:raptorjb007
raptorjb007 earned 150 total points
ID: 21795401
All three GPO's apply. However in the event two or more GPO's high conflicting settings set, the GPO with the highest precedence's setting is the one that is applied.

To better understand, GPO's are applied in a specific order, GPO's is processed in order, the last one to be processed has the highest precedence. This order is as follows(Local, Site, Domain, OU), precedence within these sections are considered but affects only its precedence within its category as listed above.

So with this in mind, local pc policies have the lowest precedence and OU policies have the highest precedence. Domain Policies apply to the entire domain, but OU policies are more specific, thus have a higher precedence and override domain policies.

For more information you can read:
Group Policy processing and precedence
http://technet2.microsoft.com/windowsserver/en/library/274e614e-f515-4b80-b794-fe09b5c21bad1033.mspx?mfr=true

0
 
LVL 3

Author Comment

by:kam_uk
ID: 21798260
Thanks guys...

Tigermatt said "b) Restricted Groups is the feature you will need to use for part c) of your question. Essentially what it does is allows you to specify a security group, and then specify the groups which should be members of that security group at each workstation where the GPO applies. There's a good article on Restricted Groups at http://www.windowsecurity.com/articles/Using-Restricted-Groups.html. "

Question - I would like to do the following that would only apply to the machines in the OU where this GPO is applied

a) I would like Domain Security Group A to be a member of the Administrators group on servers in that specific OU
b) I would like Domain Security Group B to be a member of the Power Users group on servers in that specific OU

According to the article, I would set up Administrators and Power Users as Restricted Groups on the GPO, and add Domain Security Group A and Domain Security Group B as members of the groups respectively.

Could you confirm this will only affect machines that the GPO is applied to? For instance, if I created domain\domain admins as a Restricted Group and added Domain Security Group A to it, this would not be a domain wide change?

Thanks!
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21800274
You control where the Restricted Gropus policy applies just like any other policy. Provided the policy which has restricted groups configured is ONLY linked to the OU containing your servers, the policy will only apply to that location.

All the places a policy is linked can be seen when you single-click on it in the Group Policy Management Console, it's on the first tab at the top.

-tigermatt
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The next five years are sure to bring developments that are just astonishing, and we will continue to try to find the balance between connectivity and security. Here are five major technological developments from the last five years and some predict…
It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question