?
Solved

Grroup Policy Object (GPO) Security Filtering

Posted on 2011-09-27
9
Medium Priority
?
493 Views
Last Modified: 2012-05-12
I am having trouble getting a GPO to run for a restricted user group.

I have a specific user group called "restricted users"

This group contains users that have been removed from the "Domain Users" group for security reasons

I have created 3 GPO's and linked them to a specific OU for specific machines.  I have also removed the Authenticated Users from Security Filter and added the "Restricted Users" Group

THE GPO's do not run unless I add the "restricted users" group to the "Domain Users" group

When I run the GPO Policy Wizzard to see what is happening the names of the GPO show the SIDs rather then GPO name and for "Reason Denied" states Inaccessible

Can anyone show me what i'm doing wrong?
0
Comment
Question by:hdts
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36711120
Make sure the account you are using has read access to the GPO.  For example in my screenshot from the Default DC policy the domain admins have read access.

By the way you are linking the GPO to an OU that contains computers but your security filter is only applying to the users in the restricted users group so it won't apply to the machines since you removed authenticated users. (if I'm reading what you did correctly)

Thanks

Mike




gpo-permissions.jpg
0
 

Author Comment

by:hdts
ID: 36711204
Mike, the group does have READ Permissions.

My understanding is that when you link a GPO to machines, the Security restricts the application of that policy to a specific set of users specified in the Security Filtering.  Is my understanding incorrect?

If i am incorrect how do you suggest I accomplish what I'm trying to do?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36711232
So if you link a GPO to machines only those machines will be affected by the GPO.

So lets say you have

OU = computers

You link a GPO there then all computers will receive that GPO.

Now you remove the Authenticated Users group (includes computers)

You then add a group that only contains users to the security filter.   Now the computers will not receive that GPO because they are not in the group you added.

Thanks

Mike
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:hdts
ID: 36711448
I See said the blind man..  I'm creating a group for the Servers and adding to the security filter, I'll let you know.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 36711926
You will have to either reboot the machines after you add them to the group or you can try this cool trick from Darren

http://www.sdmsoftware.com/general-stuff/picking-up-computer-group-membership-changes-without-a-reboot/

Thanks

Mike
0
 
LVL 11

Accepted Solution

by:
Ackles earned 2000 total points
ID: 36712281
Along with Read, make sure AGP (Apply Group Policy) is also checked.
Read alone will not help if AGP is not there.
A
0
 

Author Comment

by:hdts
ID: 36913107
ok, I created the computer group and added it to the security filtering along with the user group, still no luck...  If I add "authenticated users" it works, but once I take that away it no longer works..   AGGGHHHH
0
 
LVL 11

Assisted Solution

by:Ackles
Ackles earned 2000 total points
ID: 36913130
That's fine, leave the Authenticated users there, go to delegation tab & deny Read & AGP to the users u don't want to apply.
Simply make a group for whom u want to deny & deny the two rights to that group in delegation.
0
 

Author Closing Comment

by:hdts
ID: 37122256
worked.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question