?
Solved

Group Policy Concerning Security Filtering and Security Groups/Users

Posted on 2011-09-23
5
Medium Priority
?
352 Views
Last Modified: 2012-05-12
We have an OU for our Security Groups on the same level as our OU for Users.  Neither of them are nested within each other.  When applying a group policy to an OU and using Security Groups for Security Filtering, which OU should the GPO be applied to?

The Security Group contains Users so should I apply it to the Group OU or Users are a member of a Security Group so should I apply the GPO to the Users OU?  Or in the less than ideal scenario, do I have to create the GPO at the domain root so that the GPO is a level higher than both the Groups OU and the Users OU?

The purpose of the GPO is for printer deployment.

domain.com
|_
   Groups
   |_
      DELL23XX-01 (AD group to filter users receiving this printer)
|_
   Users

   
0
Comment
Question by:syn_tbarr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 750 total points
ID: 36587706
Group policies never apply to groups, so link the GPO where the users are located.  In this case you could also link it at the domain level and it would work because you are using security filtering to restrict who gets it (assuming you removed authenticated users)

I personally like linking at the OU level if you are targetting like this.

Thanks

Mike
0
 
LVL 1

Author Comment

by:syn_tbarr
ID: 36587963
That is the same logic I followed and I applied it to the Users OU and filtered by the AD group in the Groups OU.  Unfortunately, something is wrong with the GPO itself then.

There is a security group PRINTER_SDS_ASST which contains 4 other security groups.  The GPO seems to have applied to 3 of the 4 security groups.  The security group contained the other 3 security groups prior to the creation of the GPO.  The 4th group was added after the GPO had been created.  The GPO has correctly been pushed to all of the users in the security groups for the 3 that were in the group PRINTER_SDS_ASST before the GPO was created.  The fourth group SDS_Assets which is part of PRINTER_SDS_ASST has still not received the printer when they log on.

Why is the GPO not recognizing that the group PRINTER_SDS_ASST now contains more users and filtering appropriately?

I have used GPOTool to verify that the policy has propagated between all the domain controllers and I have done GPUPDATE /FORCE on specific users that are part of SDS_Assets.  I have also tried rebooting their workstation as well.

Workstation GPResultPolicy
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36588514
0
 
LVL 11

Assisted Solution

by:Ackles
Ackles earned 750 total points
ID: 36594826
Hi,
I see that you have run GPO Tool to see the replication of GPO, what about the replication of User?
Can you please check if the user is shown in all DC's?

A much simpler approach would be to apply GPO to Authenticated Users & later go to Delegation tab & remove Read & Apply Group Policy for the Groups you don't want the policy to apply.

Try doing this & you can see what comes out.

Did you try to see the Event logs? The group policy Operational logs is a very good place as it gives you detailed info.

A
0
 
LVL 1

Author Closing Comment

by:syn_tbarr
ID: 36602118
I am not using Group Policy Preferences for printer deployment, although your statements had me attempt it.  It looks like Filtering actually works.  For some reason, GPP was not pushing the printer even I didn't pursue it very hard.  I will use GPP to force a default printer though.  Between degradation of SYSVOL on one of the domain controller's and my impatience I was receiving no results.

Thanks to both of you for your input.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question