• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 213
  • Last Modified:

Linking a group policy to the domain

Hello Everyone,
I want to make sure I am doing this correctly.  I created 2 group policies GP-A and GP-b
GP-A - Computer configuration - using restricted groups to only have local administrator and domain admins in the local admin group.  I have the securitly filtering on a group

GP-B User configuration - preventing most popular instant messengers from running.  I have the security filtering on this group as well.

It is my understanding that if I link both of these group policies to the domain and use the security filtering for the groups I want, then everyone who is not in those groups will not be affected...Is that correct?

Thanks,

Bill

0
bjennings
Asked:
bjennings
  • 3
  • 2
  • 2
  • +1
1 Solution
 
sk_raja_rajaCommented:
yes..you are right
0
 
xperttechCommented:
Yes, you're right...
If your GPO applies to a machine, then the security filetring will mach it to a machine account or group. If the GPO applies to a user, then it will apply it to a user account or group.
Now, I'm assuming you're removing the default "Authenticated users" and placing there only the group(s) or user(s) that are meant to receive this policies, right?
0
 
tigermattCommented:
You are correct. Applying the policy at the domain level means that it will apply to every applicable object in the entire Active Directory domain. So, if you set a setting under "Computer Configuration", this will apply to every Computer object, and likewise for a setting under "User Configuration".

By then utilising Security Filtering, you will then block the policy so it only applies to objects in particular security groups.

Remember that for efficiency purposes it is a good idea not to link policies at the domain-level, since this will slow down computer startup and processing of Group Policy. If you can, try to link the policies to appropriate OUs (one GPO object can be linked to more than one OU) so you don't have as many PCs and users trying to apply a policy when it is not applied to them.

-tigermatt
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
bjenningsAuthor Commented:
Thank you so much!!!  One follow up question...If I create an OU for the group policy does the security group I want the gp effect also need to be in that OU or can that stay in the default users OU?
0
 
xperttechCommented:
Your affected users need to be there, so you can either move the users to the new OU or you can create OU under the users' tree.
You can create also OUs under OUs, so you can manually filter the GPOs down. Remember, the sub OU members will get the GPO from the parents unless you 'Block inheritance' in the OU. An alternative is the Security Filtering here too.
0
 
tigermattCommented:
The Security Group can be located in any OU in the domain. It doesn't matter where the group is situated, it is more important that it contains the correct users for whom the GPO should apply.

Once you apply it over a container containing user objects, remember it will apply to every user object there. Then, when you use Security Filtering, this will restrict the GPO from applying, so it will only apply to users who are a member of the specified group(s).

-tigermatt
0
 
bjenningsAuthor Commented:
Thanks for your help!
0
 
bjenningsAuthor Commented:
Thank you everyone for your suggestions!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now