Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Denying GPO to AD group

Posted on 2009-04-04
8
Medium Priority
?
348 Views
Last Modified: 2012-05-06
Hi

We are running Windows 2003 AD.

I have a GPO that will cause some restrictions on users logging onto computers within a certain OU.

I would like it that anyone in the AD group, Group1, did not have these settings applied.

Is it possible to deny the GPO to this group and how?

Also - say I had a setting that prevented from users from shutting down the server, would this apply to anyone logging onto the server, even those in the Adminstrators (local) group?

Cheers!
0
Comment
Question by:kam_uk
  • 4
  • 3
8 Comments
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 1000 total points
ID: 24069516
> Is it possible to deny the GPO to this group and how?

In the Group Policy Management Console, click Advanced in the "this GPO applies to the following blah blah blah" section. Enter the name of the group and Deny the Read and Apply Group Policy permissions.

> Also - say I had a setting that prevented from users from shutting down the server, would this apply to anyone logging onto the server, even those in the Adminstrators (local) group?

User Rights are a User Configuration setting, by default these need to be linked to an OU containing user objects and will apply to those users regardless of which machine they log into.

If you are attempting to configure User Configuration settings on a per-computer basis, so that User Configuration settings will apply to a particular computer regardless of which user logs into it, you must configure Loopback Processing on the GPO in question, as described here: http://technet.microsoft.com/en-us/library/cc757470.aspx
0
 
LVL 3

Author Comment

by:kam_uk
ID: 24069526
Hi Laura,

Thanks for answering, I forgot to mention - yep, we have Lookpack set.

Will the setting apply to any users/groups in the Local Administrators group?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 24069532
By default, Authenticated Users have Read and Apply Group Policy on all Group Policy Objects. As Administrators are a member of Authenticated Users, all GPOs will apply to Administrators unless you modify the permissions on the GPO.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 3

Author Comment

by:kam_uk
ID: 24069545
Hi

Also, just to make sure I am in the right section for #1, is this in

GPO > Delegation > Advanced?

Any check the 'Apply Group Policy' box for the group I want to deny the GPO for?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 24069563
See my previous. Deny both the Read and Apply Group Policy permissions for the group(s) that you want to deny.
0
 
LVL 3

Author Comment

by:kam_uk
ID: 24069684
Thanks very much Laura, looks good now.

Just one final question out of curiosity...

Why deny both READ and APPLY GROUP POLICY? Surely just denying APPLYING GROUP POLICY is enough to prevent the GPO from being applied (I've tested and this seems to be the case)...what is the advantage of setting a Deny on the READ permission?
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 1000 total points
ID: 24070240
You deny READ because you do not want the GPO to have any impact to the security group. If you just deny AGP and leave READ Allow, the GPO still processed by the user even though it is not applied to the user. That's why for best practice and to have better performance, it's meaningless not to deny READ if you deny AGP.

0
 
LVL 3

Author Comment

by:kam_uk
ID: 24071231
Thanks all!
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question