Solved

Group Policy security filtering based on AD Group

Posted on 2013-05-24
6
455 Views
Last Modified: 2013-05-31
Hello experts,

I have a scenario that is turning out to be problematic.  We want to roll out a new password policy to the entire company but want to exclude a group of users in Active Directory from this policy.

We have the security tab of the policy set to deny this group policy to this AD group but since the password settings are part of the computer configuration of a Group Policy, this deny permission has no effect - in other words, it would only deny settings in the user part of a Group Policy since that is processed at login time, not computer start-up time.

Loopback processing can't be used because it is designed to ensure the computer settings stay the same regardless of the user who logs in.

In short - we want to deny the computer settings of a Group Policy to an AD user group.

Thanks in advance.

RC
0
Comment
Question by:Levi Gwyn
6 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 39195241
You won't be able to do that, the password policy linked at the domain applies to every user account and can't be blocked.   This only applies to the password policies no other policies work this way

Microsoft had a lot of complaints because people did want the ability to apply different policies to different users/groups   In Windows 2008 they introduced fine grained password policies

http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

There are also third party tools.   What is your domain and forest functional level?

Thanks

Mike
0
 
LVL 4

Author Comment

by:Levi Gwyn
ID: 39195265
Hi Mike,

Our forest/domain functional level is 2008 R2.  Also, our plan is to set all the password settings in the top level domain policy to "not enabled" and apply a unique policy to each OU with the password settings we want.  This worked in a test environment but the issue of denying an AD group still remains.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39195289
You won't be able to do that.  You are going to have to use fine grained password policies.   By the way if you have one Windows 8 or 2012 box (no DCs required) you can use the new version of ADAC which make managing FGPP much easier

http://technet.microsoft.com/en-us/library/jj574178.aspx

Thanks

Mike
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 3

Expert Comment

by:violageek
ID: 39197126
You can create separate password policies using ADSI edit and apply them to separate groups and not use the default domain password policy. The steps can be found at the link below:

http://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx#BKMK_1

Hope this helps!
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39199909
Though all has been said, I will add something to your understanding of GPO denials.
> we want to deny the computer settings of a Group Policy to an AD user group
What could be done with loopback processing is denying the application of user policies (and take the settings that are applied to the "loopbacked" computer instead) - never was it possible to prevent the application of computer policies through loopback processing.

But anyway, the denial you are looking for would need to be made at the object where the policy applies and that's at the computer objects that manage the domain user passwords, the DCs. So we can either apply the password policy to the DCs or leave it blank. As simple as that: all domain users or no one.
With PSOs however, we can finally apply to user objects and groups.
0
 
LVL 4

Author Comment

by:Levi Gwyn
ID: 39210736
We went with FGPP using ADSIEdit.  Thanks mkline71.  That worked well.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now