Solved

Group Policy Concerning Security Filtering and Security Groups/Users

Posted on 2011-09-23
5
330 Views
Last Modified: 2012-05-12
We have an OU for our Security Groups on the same level as our OU for Users.  Neither of them are nested within each other.  When applying a group policy to an OU and using Security Groups for Security Filtering, which OU should the GPO be applied to?

The Security Group contains Users so should I apply it to the Group OU or Users are a member of a Security Group so should I apply the GPO to the Users OU?  Or in the less than ideal scenario, do I have to create the GPO at the domain root so that the GPO is a level higher than both the Groups OU and the Users OU?

The purpose of the GPO is for printer deployment.

domain.com
|_
   Groups
   |_
      DELL23XX-01 (AD group to filter users receiving this printer)
|_
   Users

   
0
Comment
Question by:syn_tbarr
  • 2
  • 2
5 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 36587706
Group policies never apply to groups, so link the GPO where the users are located.  In this case you could also link it at the domain level and it would work because you are using security filtering to restrict who gets it (assuming you removed authenticated users)

I personally like linking at the OU level if you are targetting like this.

Thanks

Mike
0
 
LVL 1

Author Comment

by:syn_tbarr
ID: 36587963
That is the same logic I followed and I applied it to the Users OU and filtered by the AD group in the Groups OU.  Unfortunately, something is wrong with the GPO itself then.

There is a security group PRINTER_SDS_ASST which contains 4 other security groups.  The GPO seems to have applied to 3 of the 4 security groups.  The security group contained the other 3 security groups prior to the creation of the GPO.  The 4th group was added after the GPO had been created.  The GPO has correctly been pushed to all of the users in the security groups for the 3 that were in the group PRINTER_SDS_ASST before the GPO was created.  The fourth group SDS_Assets which is part of PRINTER_SDS_ASST has still not received the printer when they log on.

Why is the GPO not recognizing that the group PRINTER_SDS_ASST now contains more users and filtering appropriately?

I have used GPOTool to verify that the policy has propagated between all the domain controllers and I have done GPUPDATE /FORCE on specific users that are part of SDS_Assets.  I have also tried rebooting their workstation as well.

Workstation GPResultPolicy
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36588514
0
 
LVL 11

Assisted Solution

by:Ackles
Ackles earned 250 total points
ID: 36594826
Hi,
I see that you have run GPO Tool to see the replication of GPO, what about the replication of User?
Can you please check if the user is shown in all DC's?

A much simpler approach would be to apply GPO to Authenticated Users & later go to Delegation tab & remove Read & Apply Group Policy for the Groups you don't want the policy to apply.

Try doing this & you can see what comes out.

Did you try to see the Event logs? The group policy Operational logs is a very good place as it gives you detailed info.

A
0
 
LVL 1

Author Closing Comment

by:syn_tbarr
ID: 36602118
I am not using Group Policy Preferences for printer deployment, although your statements had me attempt it.  It looks like Filtering actually works.  For some reason, GPP was not pushing the printer even I didn't pursue it very hard.  I will use GPP to force a default printer though.  Between degradation of SYSVOL on one of the domain controller's and my impatience I was receiving no results.

Thanks to both of you for your input.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now