Solved

Grroup Policy Object (GPO) Security Filtering

Posted on 2011-09-27
9
441 Views
Last Modified: 2012-05-12
I am having trouble getting a GPO to run for a restricted user group.

I have a specific user group called "restricted users"

This group contains users that have been removed from the "Domain Users" group for security reasons

I have created 3 GPO's and linked them to a specific OU for specific machines.  I have also removed the Authenticated Users from Security Filter and added the "Restricted Users" Group

THE GPO's do not run unless I add the "restricted users" group to the "Domain Users" group

When I run the GPO Policy Wizzard to see what is happening the names of the GPO show the SIDs rather then GPO name and for "Reason Denied" states Inaccessible

Can anyone show me what i'm doing wrong?
0
Comment
Question by:hdts
  • 4
  • 3
  • 2
9 Comments
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Make sure the account you are using has read access to the GPO.  For example in my screenshot from the Default DC policy the domain admins have read access.

By the way you are linking the GPO to an OU that contains computers but your security filter is only applying to the users in the restricted users group so it won't apply to the machines since you removed authenticated users. (if I'm reading what you did correctly)

Thanks

Mike




gpo-permissions.jpg
0
 

Author Comment

by:hdts
Comment Utility
Mike, the group does have READ Permissions.

My understanding is that when you link a GPO to machines, the Security restricts the application of that policy to a specific set of users specified in the Security Filtering.  Is my understanding incorrect?

If i am incorrect how do you suggest I accomplish what I'm trying to do?
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
So if you link a GPO to machines only those machines will be affected by the GPO.

So lets say you have

OU = computers

You link a GPO there then all computers will receive that GPO.

Now you remove the Authenticated Users group (includes computers)

You then add a group that only contains users to the security filter.   Now the computers will not receive that GPO because they are not in the group you added.

Thanks

Mike
0
 

Author Comment

by:hdts
Comment Utility
I See said the blind man..  I'm creating a group for the Servers and adding to the security filter, I'll let you know.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
You will have to either reboot the machines after you add them to the group or you can try this cool trick from Darren

http://www.sdmsoftware.com/general-stuff/picking-up-computer-group-membership-changes-without-a-reboot/

Thanks

Mike
0
 
LVL 11

Accepted Solution

by:
Ackles earned 500 total points
Comment Utility
Along with Read, make sure AGP (Apply Group Policy) is also checked.
Read alone will not help if AGP is not there.
A
0
 

Author Comment

by:hdts
Comment Utility
ok, I created the computer group and added it to the security filtering along with the user group, still no luck...  If I add "authenticated users" it works, but once I take that away it no longer works..   AGGGHHHH
0
 
LVL 11

Assisted Solution

by:Ackles
Ackles earned 500 total points
Comment Utility
That's fine, leave the Authenticated users there, go to delegation tab & deny Read & AGP to the users u don't want to apply.
Simply make a group for whom u want to deny & deny the two rights to that group in delegation.
0
 

Author Closing Comment

by:hdts
Comment Utility
worked.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now