Solved

Group Policy security filtering based on AD Group

Posted on 2013-05-24
6
458 Views
Last Modified: 2013-05-31
Hello experts,

I have a scenario that is turning out to be problematic.  We want to roll out a new password policy to the entire company but want to exclude a group of users in Active Directory from this policy.

We have the security tab of the policy set to deny this group policy to this AD group but since the password settings are part of the computer configuration of a Group Policy, this deny permission has no effect - in other words, it would only deny settings in the user part of a Group Policy since that is processed at login time, not computer start-up time.

Loopback processing can't be used because it is designed to ensure the computer settings stay the same regardless of the user who logs in.

In short - we want to deny the computer settings of a Group Policy to an AD user group.

Thanks in advance.

RC
0
Comment
Question by:Levi Gwyn
6 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 39195241
You won't be able to do that, the password policy linked at the domain applies to every user account and can't be blocked.   This only applies to the password policies no other policies work this way

Microsoft had a lot of complaints because people did want the ability to apply different policies to different users/groups   In Windows 2008 they introduced fine grained password policies

http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

There are also third party tools.   What is your domain and forest functional level?

Thanks

Mike
0
 
LVL 4

Author Comment

by:Levi Gwyn
ID: 39195265
Hi Mike,

Our forest/domain functional level is 2008 R2.  Also, our plan is to set all the password settings in the top level domain policy to "not enabled" and apply a unique policy to each OU with the password settings we want.  This worked in a test environment but the issue of denying an AD group still remains.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39195289
You won't be able to do that.  You are going to have to use fine grained password policies.   By the way if you have one Windows 8 or 2012 box (no DCs required) you can use the new version of ADAC which make managing FGPP much easier

http://technet.microsoft.com/en-us/library/jj574178.aspx

Thanks

Mike
0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 
LVL 3

Expert Comment

by:violageek
ID: 39197126
You can create separate password policies using ADSI edit and apply them to separate groups and not use the default domain password policy. The steps can be found at the link below:

http://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx#BKMK_1

Hope this helps!
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39199909
Though all has been said, I will add something to your understanding of GPO denials.
> we want to deny the computer settings of a Group Policy to an AD user group
What could be done with loopback processing is denying the application of user policies (and take the settings that are applied to the "loopbacked" computer instead) - never was it possible to prevent the application of computer policies through loopback processing.

But anyway, the denial you are looking for would need to be made at the object where the policy applies and that's at the computer objects that manage the domain user passwords, the DCs. So we can either apply the password policy to the DCs or leave it blank. As simple as that: all domain users or no one.
With PSOs however, we can finally apply to user objects and groups.
0
 
LVL 4

Author Comment

by:Levi Gwyn
ID: 39210736
We went with FGPP using ADSIEdit.  Thanks mkline71.  That worked well.
0

Featured Post

Do email signature updates give you a headache?

Are you constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now