[Webinar] Streamline your web hosting managementRegister Today


applying gpo active directory

Posted on 2009-04-06
Medium Priority
Last Modified: 2012-05-06
we have 6 domain controllers. on the domain controllers OU there is a default domain controller policy and a policy that we created is applied. in the policy that we created we have changed the permissions to the windows\tasks folder to read only for everyone. this was to counter the conflicker virus as recommdnded my microsoft. now on one of the domain controlers we want to be able to create tasks. so i added one dc for example dc2 to the security tab of the group policy that we created and denied permissions to read and apply group policy. the GPresults displays the policy is not applying.

the changes done by the policy are still retained. so as i understand the only way to grant read/write permissions to users is by applying another policy and enable it. i created another policy in which i have added the file in the computer settings/windows settings/file permissions. added windows/tasks and gave permissions. now when i link the policy to the domain controllers ou. i want to refresh this server manually and then unlink the policy so that other dc's are not affected. i did this and gpresult says the policy is not applied. it says it is filtered.

how do i get this one dc have read/write permissions on the tasksfolder.

can i do this, for example, create an OU. liink the policy which rolls back the changes to the new OU. move dc to this OU. update the policy then move it back to the original OU.

please advise
Question by:mgmohiuddin
  • 2
  • 2
LVL 27

Expert Comment

ID: 24077105
I wouldn't move the DC out of the Domain Controllers OU. Just create the new GPO with the required relaxed permission, and link it the the same OU as all the DCs.
Then apply security filtering so that only the one DC can read and apply this policy. Then set this GPO's precedence so it is above the other policy restricting the permissions. That way it's settings will over-rule the existing GPO, but will only apply to the one DC.

Author Comment

ID: 24077181
ok i have created the policy, when i am applying it it sdays it is not applied because it is filtered. could you elabarate on security filtering. on the security tab of the gpo there are authenticate dusers, creater owner, domain admins,enterprise admins etc. so do you mean to say i add other dc's on which i do not want this policy to be applied to add it to the security and deny the permission appli group policy.
LVL 27

Accepted Solution

bluntTony earned 1600 total points
ID: 24077238
In the GPMC, select the group policy object on the left hand side of the window. On the right hand side, select the 'Scope' tab.
The second section, Security Filtering, defines who can apply the GPO. Remove the 'Authenticated Users' group from here, and add in the computer account for the DC you want the settings to apply to, so just it can read the GPO. This basically writes back to the Security tab, applying the correct permissions. When you add the computer, you will have to click 'Object Types' and tick 'Computers' to allow you to add computer accounts to the security filtering. As long as only this DC is in the list, nothing else, then only it can read and apply the GPO.
Then, after you link the GPO to the OU holding the DCs, click on the OU in the GPMC. Check the 'Linked Group Policy Objects' tab and ensure that the new GPO is higher in the list than the old one.
Run 'gpupdate /force' on the DC and then check gpresult. All being well your new settings should apply.
LVL 18

Assisted Solution

Americom earned 400 total points
ID: 24077712
The recommended policy was to control the conflicker from spreading, it should be a temperorary usage. Once you have your conflicker cleaned and patch, you can remove the GPO. Also, since you have only 6 DCs, why not just scan and patch KB958644 on those domain controllers so that you don't have to worry about the GPO link to DCs. For the worksations and member servers, you create the GPO to prevent conflicker from spreading because you have so many machines to path and may take some time and therefore Microsoft recommended that this GPO can be used to prevent conflicker from spreading to other machines but not patch should be applied. Also this GPO has a step that you have to be careful not to apply to DCs as it will create more problem for you. So, my suggestion is simply apply the patch to the DCs this way you don't have to GPO the DCs. You may consider link the GPO to workstaion and servers if you have a separate OU of each and have not complete the security path to all the system yet.

Author Comment

ID: 24084194
well believe me in spite of having the patch, many servers including dc's had tasks created on a daily basis hence this gpo. we have a very big setup and while the gpo is in effect the security team is working towards cleaning up the vrus issues as we have computers not part of the domain, remote users, branches etc. so we will ultimately remove the gpo but presently it is in use. i agree with you completely that microsoft has suggested to have this policy in place till the virus had been  cleaned up. but this patch dosent solve this issue.

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

608 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question