Solved

Linking a group policy to the domain

Posted on 2008-10-03
8
205 Views
Last Modified: 2010-04-21
Hello Everyone,
I want to make sure I am doing this correctly.  I created 2 group policies GP-A and GP-b
GP-A - Computer configuration - using restricted groups to only have local administrator and domain admins in the local admin group.  I have the securitly filtering on a group

GP-B User configuration - preventing most popular instant messengers from running.  I have the security filtering on this group as well.

It is my understanding that if I link both of these group policies to the domain and use the security filtering for the groups I want, then everyone who is not in those groups will not be affected...Is that correct?

Thanks,

Bill

0
Comment
Question by:bjennings
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22635452
yes..you are right
0
 
LVL 5

Expert Comment

by:xperttech
ID: 22635466
Yes, you're right...
If your GPO applies to a machine, then the security filetring will mach it to a machine account or group. If the GPO applies to a user, then it will apply it to a user account or group.
Now, I'm assuming you're removing the default "Authenticated users" and placing there only the group(s) or user(s) that are meant to receive this policies, right?
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 350 total points
ID: 22636348
You are correct. Applying the policy at the domain level means that it will apply to every applicable object in the entire Active Directory domain. So, if you set a setting under "Computer Configuration", this will apply to every Computer object, and likewise for a setting under "User Configuration".

By then utilising Security Filtering, you will then block the policy so it only applies to objects in particular security groups.

Remember that for efficiency purposes it is a good idea not to link policies at the domain-level, since this will slow down computer startup and processing of Group Policy. If you can, try to link the policies to appropriate OUs (one GPO object can be linked to more than one OU) so you don't have as many PCs and users trying to apply a policy when it is not applied to them.

-tigermatt
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:bjennings
ID: 22636925
Thank you so much!!!  One follow up question...If I create an OU for the group policy does the security group I want the gp effect also need to be in that OU or can that stay in the default users OU?
0
 
LVL 5

Expert Comment

by:xperttech
ID: 22637085
Your affected users need to be there, so you can either move the users to the new OU or you can create OU under the users' tree.
You can create also OUs under OUs, so you can manually filter the GPOs down. Remember, the sub OU members will get the GPO from the parents unless you 'Block inheritance' in the OU. An alternative is the Security Filtering here too.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 22640171
The Security Group can be located in any OU in the domain. It doesn't matter where the group is situated, it is more important that it contains the correct users for whom the GPO should apply.

Once you apply it over a container containing user objects, remember it will apply to every user object there. Then, when you use Security Filtering, this will restrict the GPO from applying, so it will only apply to users who are a member of the specified group(s).

-tigermatt
0
 

Author Closing Comment

by:bjennings
ID: 31502809
Thanks for your help!
0
 

Author Comment

by:bjennings
ID: 22690498
Thank you everyone for your suggestions!
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question