Solved

Linking a group policy to the domain

Posted on 2008-10-03
8
203 Views
Last Modified: 2010-04-21
Hello Everyone,
I want to make sure I am doing this correctly.  I created 2 group policies GP-A and GP-b
GP-A - Computer configuration - using restricted groups to only have local administrator and domain admins in the local admin group.  I have the securitly filtering on a group

GP-B User configuration - preventing most popular instant messengers from running.  I have the security filtering on this group as well.

It is my understanding that if I link both of these group policies to the domain and use the security filtering for the groups I want, then everyone who is not in those groups will not be affected...Is that correct?

Thanks,

Bill

0
Comment
Question by:bjennings
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22635452
yes..you are right
0
 
LVL 5

Expert Comment

by:xperttech
ID: 22635466
Yes, you're right...
If your GPO applies to a machine, then the security filetring will mach it to a machine account or group. If the GPO applies to a user, then it will apply it to a user account or group.
Now, I'm assuming you're removing the default "Authenticated users" and placing there only the group(s) or user(s) that are meant to receive this policies, right?
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 350 total points
ID: 22636348
You are correct. Applying the policy at the domain level means that it will apply to every applicable object in the entire Active Directory domain. So, if you set a setting under "Computer Configuration", this will apply to every Computer object, and likewise for a setting under "User Configuration".

By then utilising Security Filtering, you will then block the policy so it only applies to objects in particular security groups.

Remember that for efficiency purposes it is a good idea not to link policies at the domain-level, since this will slow down computer startup and processing of Group Policy. If you can, try to link the policies to appropriate OUs (one GPO object can be linked to more than one OU) so you don't have as many PCs and users trying to apply a policy when it is not applied to them.

-tigermatt
0
 

Author Comment

by:bjennings
ID: 22636925
Thank you so much!!!  One follow up question...If I create an OU for the group policy does the security group I want the gp effect also need to be in that OU or can that stay in the default users OU?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 5

Expert Comment

by:xperttech
ID: 22637085
Your affected users need to be there, so you can either move the users to the new OU or you can create OU under the users' tree.
You can create also OUs under OUs, so you can manually filter the GPOs down. Remember, the sub OU members will get the GPO from the parents unless you 'Block inheritance' in the OU. An alternative is the Security Filtering here too.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 22640171
The Security Group can be located in any OU in the domain. It doesn't matter where the group is situated, it is more important that it contains the correct users for whom the GPO should apply.

Once you apply it over a container containing user objects, remember it will apply to every user object there. Then, when you use Security Filtering, this will restrict the GPO from applying, so it will only apply to users who are a member of the specified group(s).

-tigermatt
0
 

Author Closing Comment

by:bjennings
ID: 31502809
Thanks for your help!
0
 

Author Comment

by:bjennings
ID: 22690498
Thank you everyone for your suggestions!
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Concerto provides fully managed cloud services and the expertise to provide an easy and reliable route to the cloud. Our best-in-class solutions help you address the toughest IT challenges, find new efficiencies and deliver the best application expe…
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now