Grroup Policy Object (GPO) Security Filtering

I am having trouble getting a GPO to run for a restricted user group.

I have a specific user group called "restricted users"

This group contains users that have been removed from the "Domain Users" group for security reasons

I have created 3 GPO's and linked them to a specific OU for specific machines.  I have also removed the Authenticated Users from Security Filter and added the "Restricted Users" Group

THE GPO's do not run unless I add the "restricted users" group to the "Domain Users" group

When I run the GPO Policy Wizzard to see what is happening the names of the GPO show the SIDs rather then GPO name and for "Reason Denied" states Inaccessible

Can anyone show me what i'm doing wrong?
hdtsAsked:
Who is Participating?
 
AcklesConnect With a Mentor Commented:
Along with Read, make sure AGP (Apply Group Policy) is also checked.
Read alone will not help if AGP is not there.
A
0
 
Mike KlineCommented:
Make sure the account you are using has read access to the GPO.  For example in my screenshot from the Default DC policy the domain admins have read access.

By the way you are linking the GPO to an OU that contains computers but your security filter is only applying to the users in the restricted users group so it won't apply to the machines since you removed authenticated users. (if I'm reading what you did correctly)

Thanks

Mike




gpo-permissions.jpg
0
 
hdtsAuthor Commented:
Mike, the group does have READ Permissions.

My understanding is that when you link a GPO to machines, the Security restricts the application of that policy to a specific set of users specified in the Security Filtering.  Is my understanding incorrect?

If i am incorrect how do you suggest I accomplish what I'm trying to do?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Mike KlineCommented:
So if you link a GPO to machines only those machines will be affected by the GPO.

So lets say you have

OU = computers

You link a GPO there then all computers will receive that GPO.

Now you remove the Authenticated Users group (includes computers)

You then add a group that only contains users to the security filter.   Now the computers will not receive that GPO because they are not in the group you added.

Thanks

Mike
0
 
hdtsAuthor Commented:
I See said the blind man..  I'm creating a group for the Servers and adding to the security filter, I'll let you know.
0
 
Mike KlineCommented:
You will have to either reboot the machines after you add them to the group or you can try this cool trick from Darren

http://www.sdmsoftware.com/general-stuff/picking-up-computer-group-membership-changes-without-a-reboot/

Thanks

Mike
0
 
hdtsAuthor Commented:
ok, I created the computer group and added it to the security filtering along with the user group, still no luck...  If I add "authenticated users" it works, but once I take that away it no longer works..   AGGGHHHH
0
 
AcklesConnect With a Mentor Commented:
That's fine, leave the Authenticated users there, go to delegation tab & deny Read & AGP to the users u don't want to apply.
Simply make a group for whom u want to deny & deny the two rights to that group in delegation.
0
 
hdtsAuthor Commented:
worked.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.