GPO Setting query

kam_uk
kam_uk used Ask the Experts™
on
Hi All

We are running Windows 2003 Active Directory. We have a Users OU which has a GPO named "UsersGPO" applied. This GPO sets many settings including desktop wallpaper, IE home page, what they can see in the Control Panel etc etc. The GPO is applied as:

Security Filtering: Authenticated Users
Delegation: Domain Admins, IT staff are denied from GPO application

We have a couple of developers in our company, and they want to test something related to the company Intranet. So, they want NO IE home page set, but they do want all the other settings.

I was just thinking of the best way to do this. My thoughts were:

i) Copy the UsersGPO and create a new one, DevelopersGPO, that had the same settings bar the IE home page.

ii) In Filtering, set to the Developers AD security group only.

I'm not sure what to set in Delegation though? Will the fact that the GPO has Filtering for Developers AD group only mean that it won't be applied to other users/domain admins etc? Or should I add them in there, with a Deny, to be sure? How about Denying them from even reading it?

iv) In the Users OU, the UsersGPO has link order 3. Would I be correct in saying that as long as this GPO was link order less than that (e.g. 2), the IE setting would not be set for these developers?

Any help appreciated!

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Have you grouped the Developers to a separate OU ?

Author

Commented:
Sorry - should have said - the Developers are in the Users OU, same as everyone else.
Link the newly created GPO to the OU and under Security Filtering make sure that only the 2 Developers are added and all other users/groups are removed.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Sure, thanks... but what about my questions here:

"I'm not sure what to set in Delegation though? Will the fact that the GPO has Filtering for Developers AD group only mean that it won't be applied to other users/domain admins etc? Or should I add them in there, with a Deny, to be sure? How about Denying them from even reading it?

iv) In the Users OU, the UsersGPO has link order 3. Would I be correct in saying that as long as this GPO was link order less than that (e.g. 2), the IE setting would not be set for these developers?"
You can leave the Delegation settings as it is.

You need not explicitly put any Deny Policy, once you add only the 2 Developers to the Security Filtering Tab, the policy would be applied to the 2 Users.

Update the results.
bluntTonyHead of ICT
Top Expert 2009
Commented:
When you change the Security Filtering section on the scope tab of the GPMC, this actually changes the permissions on the delegation tab accordingly. So if you've restricted the GPO to only apply to a certain group, you'll notice that the Read and Apply permissions change on the Delegation tab.

The other permissions 'Edit Settings, Delete, Modify' you need to keep for the default groups to enable admins to be able to modify the policy. You'll notice that these entries do not include the 'Read' or 'Apply' settings, which are what determine who the policy will apply to.

Don't start using Deny permissions unless you really have to.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial