Solved

Group Policy Concerning Security Filtering and Security Groups/Users

Posted on 2011-09-23
5
337 Views
Last Modified: 2012-05-12
We have an OU for our Security Groups on the same level as our OU for Users.  Neither of them are nested within each other.  When applying a group policy to an OU and using Security Groups for Security Filtering, which OU should the GPO be applied to?

The Security Group contains Users so should I apply it to the Group OU or Users are a member of a Security Group so should I apply the GPO to the Users OU?  Or in the less than ideal scenario, do I have to create the GPO at the domain root so that the GPO is a level higher than both the Groups OU and the Users OU?

The purpose of the GPO is for printer deployment.

domain.com
|_
   Groups
   |_
      DELL23XX-01 (AD group to filter users receiving this printer)
|_
   Users

   
0
Comment
Question by:syn_tbarr
  • 2
  • 2
5 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 36587706
Group policies never apply to groups, so link the GPO where the users are located.  In this case you could also link it at the domain level and it would work because you are using security filtering to restrict who gets it (assuming you removed authenticated users)

I personally like linking at the OU level if you are targetting like this.

Thanks

Mike
0
 
LVL 1

Author Comment

by:syn_tbarr
ID: 36587963
That is the same logic I followed and I applied it to the Users OU and filtered by the AD group in the Groups OU.  Unfortunately, something is wrong with the GPO itself then.

There is a security group PRINTER_SDS_ASST which contains 4 other security groups.  The GPO seems to have applied to 3 of the 4 security groups.  The security group contained the other 3 security groups prior to the creation of the GPO.  The 4th group was added after the GPO had been created.  The GPO has correctly been pushed to all of the users in the security groups for the 3 that were in the group PRINTER_SDS_ASST before the GPO was created.  The fourth group SDS_Assets which is part of PRINTER_SDS_ASST has still not received the printer when they log on.

Why is the GPO not recognizing that the group PRINTER_SDS_ASST now contains more users and filtering appropriately?

I have used GPOTool to verify that the policy has propagated between all the domain controllers and I have done GPUPDATE /FORCE on specific users that are part of SDS_Assets.  I have also tried rebooting their workstation as well.

Workstation GPResultPolicy
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36588514
0
 
LVL 11

Assisted Solution

by:Ackles
Ackles earned 250 total points
ID: 36594826
Hi,
I see that you have run GPO Tool to see the replication of GPO, what about the replication of User?
Can you please check if the user is shown in all DC's?

A much simpler approach would be to apply GPO to Authenticated Users & later go to Delegation tab & remove Read & Apply Group Policy for the Groups you don't want the policy to apply.

Try doing this & you can see what comes out.

Did you try to see the Event logs? The group policy Operational logs is a very good place as it gives you detailed info.

A
0
 
LVL 1

Author Closing Comment

by:syn_tbarr
ID: 36602118
I am not using Group Policy Preferences for printer deployment, although your statements had me attempt it.  It looks like Filtering actually works.  For some reason, GPP was not pushing the printer even I didn't pursue it very hard.  I will use GPP to force a default printer though.  Between degradation of SYSVOL on one of the domain controller's and my impatience I was receiving no results.

Thanks to both of you for your input.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article runs through the process of deploying a single EXE application selectively to a group of user.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question