• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 215
  • Last Modified:

Linking a group policy to the domain

Hello Everyone,
I want to make sure I am doing this correctly.  I created 2 group policies GP-A and GP-b
GP-A - Computer configuration - using restricted groups to only have local administrator and domain admins in the local admin group.  I have the securitly filtering on a group

GP-B User configuration - preventing most popular instant messengers from running.  I have the security filtering on this group as well.

It is my understanding that if I link both of these group policies to the domain and use the security filtering for the groups I want, then everyone who is not in those groups will not be affected...Is that correct?

Thanks,

Bill

0
bjennings
Asked:
bjennings
  • 3
  • 2
  • 2
  • +1
1 Solution
 
sk_raja_rajaCommented:
yes..you are right
0
 
xperttechCommented:
Yes, you're right...
If your GPO applies to a machine, then the security filetring will mach it to a machine account or group. If the GPO applies to a user, then it will apply it to a user account or group.
Now, I'm assuming you're removing the default "Authenticated users" and placing there only the group(s) or user(s) that are meant to receive this policies, right?
0
 
tigermattCommented:
You are correct. Applying the policy at the domain level means that it will apply to every applicable object in the entire Active Directory domain. So, if you set a setting under "Computer Configuration", this will apply to every Computer object, and likewise for a setting under "User Configuration".

By then utilising Security Filtering, you will then block the policy so it only applies to objects in particular security groups.

Remember that for efficiency purposes it is a good idea not to link policies at the domain-level, since this will slow down computer startup and processing of Group Policy. If you can, try to link the policies to appropriate OUs (one GPO object can be linked to more than one OU) so you don't have as many PCs and users trying to apply a policy when it is not applied to them.

-tigermatt
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

 
bjenningsAuthor Commented:
Thank you so much!!!  One follow up question...If I create an OU for the group policy does the security group I want the gp effect also need to be in that OU or can that stay in the default users OU?
0
 
xperttechCommented:
Your affected users need to be there, so you can either move the users to the new OU or you can create OU under the users' tree.
You can create also OUs under OUs, so you can manually filter the GPOs down. Remember, the sub OU members will get the GPO from the parents unless you 'Block inheritance' in the OU. An alternative is the Security Filtering here too.
0
 
tigermattCommented:
The Security Group can be located in any OU in the domain. It doesn't matter where the group is situated, it is more important that it contains the correct users for whom the GPO should apply.

Once you apply it over a container containing user objects, remember it will apply to every user object there. Then, when you use Security Filtering, this will restrict the GPO from applying, so it will only apply to users who are a member of the specified group(s).

-tigermatt
0
 
bjenningsAuthor Commented:
Thanks for your help!
0
 
bjenningsAuthor Commented:
Thank you everyone for your suggestions!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now