[Webinar] Learn how to a build a cloud-first strategyRegister Now


applying gpo active directory

Posted on 2009-04-06
Medium Priority
Last Modified: 2012-05-06
we have 6 domain controllers. on the domain controllers OU there is a default domain controller policy and a policy that we created is applied. in the policy that we created we have changed the permissions to the windows\tasks folder to read only for everyone. this was to counter the conflicker virus as recommdnded my microsoft. now on one of the domain controlers we want to be able to create tasks. so i added one dc for example dc2 to the security tab of the group policy that we created and denied permissions to read and apply group policy. the GPresults displays the policy is not applying.

the changes done by the policy are still retained. so as i understand the only way to grant read/write permissions to users is by applying another policy and enable it. i created another policy in which i have added the file in the computer settings/windows settings/file permissions. added windows/tasks and gave permissions. now when i link the policy to the domain controllers ou. i want to refresh this server manually and then unlink the policy so that other dc's are not affected. i did this and gpresult says the policy is not applied. it says it is filtered.

how do i get this one dc have read/write permissions on the tasksfolder.

can i do this, for example, create an OU. liink the policy which rolls back the changes to the new OU. move dc to this OU. update the policy then move it back to the original OU.

please advise
Question by:mgmohiuddin
  • 2
  • 2
LVL 27

Expert Comment

ID: 24077105
I wouldn't move the DC out of the Domain Controllers OU. Just create the new GPO with the required relaxed permission, and link it the the same OU as all the DCs.
Then apply security filtering so that only the one DC can read and apply this policy. Then set this GPO's precedence so it is above the other policy restricting the permissions. That way it's settings will over-rule the existing GPO, but will only apply to the one DC.

Author Comment

ID: 24077181
ok i have created the policy, when i am applying it it sdays it is not applied because it is filtered. could you elabarate on security filtering. on the security tab of the gpo there are authenticate dusers, creater owner, domain admins,enterprise admins etc. so do you mean to say i add other dc's on which i do not want this policy to be applied to add it to the security and deny the permission appli group policy.
LVL 27

Accepted Solution

bluntTony earned 1600 total points
ID: 24077238
In the GPMC, select the group policy object on the left hand side of the window. On the right hand side, select the 'Scope' tab.
The second section, Security Filtering, defines who can apply the GPO. Remove the 'Authenticated Users' group from here, and add in the computer account for the DC you want the settings to apply to, so just it can read the GPO. This basically writes back to the Security tab, applying the correct permissions. When you add the computer, you will have to click 'Object Types' and tick 'Computers' to allow you to add computer accounts to the security filtering. As long as only this DC is in the list, nothing else, then only it can read and apply the GPO.
Then, after you link the GPO to the OU holding the DCs, click on the OU in the GPMC. Check the 'Linked Group Policy Objects' tab and ensure that the new GPO is higher in the list than the old one.
Run 'gpupdate /force' on the DC and then check gpresult. All being well your new settings should apply.
LVL 18

Assisted Solution

Americom earned 400 total points
ID: 24077712
The recommended policy was to control the conflicker from spreading, it should be a temperorary usage. Once you have your conflicker cleaned and patch, you can remove the GPO. Also, since you have only 6 DCs, why not just scan and patch KB958644 on those domain controllers so that you don't have to worry about the GPO link to DCs. For the worksations and member servers, you create the GPO to prevent conflicker from spreading because you have so many machines to path and may take some time and therefore Microsoft recommended that this GPO can be used to prevent conflicker from spreading to other machines but not patch should be applied. Also this GPO has a step that you have to be careful not to apply to DCs as it will create more problem for you. So, my suggestion is simply apply the patch to the DCs this way you don't have to GPO the DCs. You may consider link the GPO to workstaion and servers if you have a separate OU of each and have not complete the security path to all the system yet.

Author Comment

ID: 24084194
well believe me in spite of having the patch, many servers including dc's had tasks created on a daily basis hence this gpo. we have a very big setup and while the gpo is in effect the security team is working towards cleaning up the vrus issues as we have computers not part of the domain, remote users, branches etc. so we will ultimately remove the gpo but presently it is in use. i agree with you completely that microsoft has suggested to have this policy in place till the virus had been  cleaned up. but this patch dosent solve this issue.

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question