Solved

Grroup Policy Object (GPO) Security Filtering

Posted on 2011-09-27
9
449 Views
Last Modified: 2012-05-12
I am having trouble getting a GPO to run for a restricted user group.

I have a specific user group called "restricted users"

This group contains users that have been removed from the "Domain Users" group for security reasons

I have created 3 GPO's and linked them to a specific OU for specific machines.  I have also removed the Authenticated Users from Security Filter and added the "Restricted Users" Group

THE GPO's do not run unless I add the "restricted users" group to the "Domain Users" group

When I run the GPO Policy Wizzard to see what is happening the names of the GPO show the SIDs rather then GPO name and for "Reason Denied" states Inaccessible

Can anyone show me what i'm doing wrong?
0
Comment
Question by:hdts
  • 4
  • 3
  • 2
9 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36711120
Make sure the account you are using has read access to the GPO.  For example in my screenshot from the Default DC policy the domain admins have read access.

By the way you are linking the GPO to an OU that contains computers but your security filter is only applying to the users in the restricted users group so it won't apply to the machines since you removed authenticated users. (if I'm reading what you did correctly)

Thanks

Mike




gpo-permissions.jpg
0
 

Author Comment

by:hdts
ID: 36711204
Mike, the group does have READ Permissions.

My understanding is that when you link a GPO to machines, the Security restricts the application of that policy to a specific set of users specified in the Security Filtering.  Is my understanding incorrect?

If i am incorrect how do you suggest I accomplish what I'm trying to do?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36711232
So if you link a GPO to machines only those machines will be affected by the GPO.

So lets say you have

OU = computers

You link a GPO there then all computers will receive that GPO.

Now you remove the Authenticated Users group (includes computers)

You then add a group that only contains users to the security filter.   Now the computers will not receive that GPO because they are not in the group you added.

Thanks

Mike
0
 

Author Comment

by:hdts
ID: 36711448
I See said the blind man..  I'm creating a group for the Servers and adding to the security filter, I'll let you know.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 36711926
You will have to either reboot the machines after you add them to the group or you can try this cool trick from Darren

http://www.sdmsoftware.com/general-stuff/picking-up-computer-group-membership-changes-without-a-reboot/

Thanks

Mike
0
 
LVL 11

Accepted Solution

by:
Ackles earned 500 total points
ID: 36712281
Along with Read, make sure AGP (Apply Group Policy) is also checked.
Read alone will not help if AGP is not there.
A
0
 

Author Comment

by:hdts
ID: 36913107
ok, I created the computer group and added it to the security filtering along with the user group, still no luck...  If I add "authenticated users" it works, but once I take that away it no longer works..   AGGGHHHH
0
 
LVL 11

Assisted Solution

by:Ackles
Ackles earned 500 total points
ID: 36913130
That's fine, leave the Authenticated users there, go to delegation tab & deny Read & AGP to the users u don't want to apply.
Simply make a group for whom u want to deny & deny the two rights to that group in delegation.
0
 

Author Closing Comment

by:hdts
ID: 37122256
worked.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now