Solved

Group Policy Concerning Security Filtering and Security Groups/Users

Posted on 2011-09-23
5
342 Views
Last Modified: 2012-05-12
We have an OU for our Security Groups on the same level as our OU for Users.  Neither of them are nested within each other.  When applying a group policy to an OU and using Security Groups for Security Filtering, which OU should the GPO be applied to?

The Security Group contains Users so should I apply it to the Group OU or Users are a member of a Security Group so should I apply the GPO to the Users OU?  Or in the less than ideal scenario, do I have to create the GPO at the domain root so that the GPO is a level higher than both the Groups OU and the Users OU?

The purpose of the GPO is for printer deployment.

domain.com
|_
   Groups
   |_
      DELL23XX-01 (AD group to filter users receiving this printer)
|_
   Users

   
0
Comment
Question by:syn_tbarr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 36587706
Group policies never apply to groups, so link the GPO where the users are located.  In this case you could also link it at the domain level and it would work because you are using security filtering to restrict who gets it (assuming you removed authenticated users)

I personally like linking at the OU level if you are targetting like this.

Thanks

Mike
0
 
LVL 1

Author Comment

by:syn_tbarr
ID: 36587963
That is the same logic I followed and I applied it to the Users OU and filtered by the AD group in the Groups OU.  Unfortunately, something is wrong with the GPO itself then.

There is a security group PRINTER_SDS_ASST which contains 4 other security groups.  The GPO seems to have applied to 3 of the 4 security groups.  The security group contained the other 3 security groups prior to the creation of the GPO.  The 4th group was added after the GPO had been created.  The GPO has correctly been pushed to all of the users in the security groups for the 3 that were in the group PRINTER_SDS_ASST before the GPO was created.  The fourth group SDS_Assets which is part of PRINTER_SDS_ASST has still not received the printer when they log on.

Why is the GPO not recognizing that the group PRINTER_SDS_ASST now contains more users and filtering appropriately?

I have used GPOTool to verify that the policy has propagated between all the domain controllers and I have done GPUPDATE /FORCE on specific users that are part of SDS_Assets.  I have also tried rebooting their workstation as well.

Workstation GPResultPolicy
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36588514
0
 
LVL 11

Assisted Solution

by:Ackles
Ackles earned 250 total points
ID: 36594826
Hi,
I see that you have run GPO Tool to see the replication of GPO, what about the replication of User?
Can you please check if the user is shown in all DC's?

A much simpler approach would be to apply GPO to Authenticated Users & later go to Delegation tab & remove Read & Apply Group Policy for the Groups you don't want the policy to apply.

Try doing this & you can see what comes out.

Did you try to see the Event logs? The group policy Operational logs is a very good place as it gives you detailed info.

A
0
 
LVL 1

Author Closing Comment

by:syn_tbarr
ID: 36602118
I am not using Group Policy Preferences for printer deployment, although your statements had me attempt it.  It looks like Filtering actually works.  For some reason, GPP was not pushing the printer even I didn't pursue it very hard.  I will use GPP to force a default printer though.  Between degradation of SYSVOL on one of the domain controller's and my impatience I was receiving no results.

Thanks to both of you for your input.
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question