[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

applying gpo active directory

Posted on 2009-04-06
5
Medium Priority
?
228 Views
Last Modified: 2012-05-06
we have 6 domain controllers. on the domain controllers OU there is a default domain controller policy and a policy that we created is applied. in the policy that we created we have changed the permissions to the windows\tasks folder to read only for everyone. this was to counter the conflicker virus as recommdnded my microsoft. now on one of the domain controlers we want to be able to create tasks. so i added one dc for example dc2 to the security tab of the group policy that we created and denied permissions to read and apply group policy. the GPresults displays the policy is not applying.

the changes done by the policy are still retained. so as i understand the only way to grant read/write permissions to users is by applying another policy and enable it. i created another policy in which i have added the file in the computer settings/windows settings/file permissions. added windows/tasks and gave permissions. now when i link the policy to the domain controllers ou. i want to refresh this server manually and then unlink the policy so that other dc's are not affected. i did this and gpresult says the policy is not applied. it says it is filtered.

how do i get this one dc have read/write permissions on the tasksfolder.

can i do this, for example, create an OU. liink the policy which rolls back the changes to the new OU. move dc to this OU. update the policy then move it back to the original OU.

please advise
0
Comment
Question by:mgmohiuddin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 27

Expert Comment

by:bluntTony
ID: 24077105
I wouldn't move the DC out of the Domain Controllers OU. Just create the new GPO with the required relaxed permission, and link it the the same OU as all the DCs.
Then apply security filtering so that only the one DC can read and apply this policy. Then set this GPO's precedence so it is above the other policy restricting the permissions. That way it's settings will over-rule the existing GPO, but will only apply to the one DC.
0
 

Author Comment

by:mgmohiuddin
ID: 24077181
ok i have created the policy, when i am applying it it sdays it is not applied because it is filtered. could you elabarate on security filtering. on the security tab of the gpo there are authenticate dusers, creater owner, domain admins,enterprise admins etc. so do you mean to say i add other dc's on which i do not want this policy to be applied to add it to the security and deny the permission appli group policy.
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 1600 total points
ID: 24077238
In the GPMC, select the group policy object on the left hand side of the window. On the right hand side, select the 'Scope' tab.
The second section, Security Filtering, defines who can apply the GPO. Remove the 'Authenticated Users' group from here, and add in the computer account for the DC you want the settings to apply to, so just it can read the GPO. This basically writes back to the Security tab, applying the correct permissions. When you add the computer, you will have to click 'Object Types' and tick 'Computers' to allow you to add computer accounts to the security filtering. As long as only this DC is in the list, nothing else, then only it can read and apply the GPO.
Then, after you link the GPO to the OU holding the DCs, click on the OU in the GPMC. Check the 'Linked Group Policy Objects' tab and ensure that the new GPO is higher in the list than the old one.
Run 'gpupdate /force' on the DC and then check gpresult. All being well your new settings should apply.
0
 
LVL 18

Assisted Solution

by:Americom
Americom earned 400 total points
ID: 24077712
The recommended policy was to control the conflicker from spreading, it should be a temperorary usage. Once you have your conflicker cleaned and patch, you can remove the GPO. Also, since you have only 6 DCs, why not just scan and patch KB958644 on those domain controllers so that you don't have to worry about the GPO link to DCs. For the worksations and member servers, you create the GPO to prevent conflicker from spreading because you have so many machines to path and may take some time and therefore Microsoft recommended that this GPO can be used to prevent conflicker from spreading to other machines but not patch should be applied. Also this GPO has a step that you have to be careful not to apply to DCs as it will create more problem for you. So, my suggestion is simply apply the patch to the DCs this way you don't have to GPO the DCs. You may consider link the GPO to workstaion and servers if you have a separate OU of each and have not complete the security path to all the system yet.
0
 

Author Comment

by:mgmohiuddin
ID: 24084194
well believe me in spite of having the patch, many servers including dc's had tasks created on a daily basis hence this gpo. we have a very big setup and while the gpo is in effect the security team is working towards cleaning up the vrus issues as we have computers not part of the domain, remote users, branches etc. so we will ultimately remove the gpo but presently it is in use. i agree with you completely that microsoft has suggested to have this policy in place till the virus had been  cleaned up. but this patch dosent solve this issue.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question