Solved

Grroup Policy Object (GPO) Security Filtering

Posted on 2011-09-27
9
484 Views
Last Modified: 2012-05-12
I am having trouble getting a GPO to run for a restricted user group.

I have a specific user group called "restricted users"

This group contains users that have been removed from the "Domain Users" group for security reasons

I have created 3 GPO's and linked them to a specific OU for specific machines.  I have also removed the Authenticated Users from Security Filter and added the "Restricted Users" Group

THE GPO's do not run unless I add the "restricted users" group to the "Domain Users" group

When I run the GPO Policy Wizzard to see what is happening the names of the GPO show the SIDs rather then GPO name and for "Reason Denied" states Inaccessible

Can anyone show me what i'm doing wrong?
0
Comment
Question by:hdts
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36711120
Make sure the account you are using has read access to the GPO.  For example in my screenshot from the Default DC policy the domain admins have read access.

By the way you are linking the GPO to an OU that contains computers but your security filter is only applying to the users in the restricted users group so it won't apply to the machines since you removed authenticated users. (if I'm reading what you did correctly)

Thanks

Mike




gpo-permissions.jpg
0
 

Author Comment

by:hdts
ID: 36711204
Mike, the group does have READ Permissions.

My understanding is that when you link a GPO to machines, the Security restricts the application of that policy to a specific set of users specified in the Security Filtering.  Is my understanding incorrect?

If i am incorrect how do you suggest I accomplish what I'm trying to do?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36711232
So if you link a GPO to machines only those machines will be affected by the GPO.

So lets say you have

OU = computers

You link a GPO there then all computers will receive that GPO.

Now you remove the Authenticated Users group (includes computers)

You then add a group that only contains users to the security filter.   Now the computers will not receive that GPO because they are not in the group you added.

Thanks

Mike
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 

Author Comment

by:hdts
ID: 36711448
I See said the blind man..  I'm creating a group for the Servers and adding to the security filter, I'll let you know.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36711926
You will have to either reboot the machines after you add them to the group or you can try this cool trick from Darren

http://www.sdmsoftware.com/general-stuff/picking-up-computer-group-membership-changes-without-a-reboot/

Thanks

Mike
0
 
LVL 11

Accepted Solution

by:
Ackles earned 500 total points
ID: 36712281
Along with Read, make sure AGP (Apply Group Policy) is also checked.
Read alone will not help if AGP is not there.
A
0
 

Author Comment

by:hdts
ID: 36913107
ok, I created the computer group and added it to the security filtering along with the user group, still no luck...  If I add "authenticated users" it works, but once I take that away it no longer works..   AGGGHHHH
0
 
LVL 11

Assisted Solution

by:Ackles
Ackles earned 500 total points
ID: 36913130
That's fine, leave the Authenticated users there, go to delegation tab & deny Read & AGP to the users u don't want to apply.
Simply make a group for whom u want to deny & deny the two rights to that group in delegation.
0
 

Author Closing Comment

by:hdts
ID: 37122256
worked.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question