?
Solved

Group Policy security filtering based on AD Group

Posted on 2013-05-24
6
Medium Priority
?
475 Views
Last Modified: 2013-05-31
Hello experts,

I have a scenario that is turning out to be problematic.  We want to roll out a new password policy to the entire company but want to exclude a group of users in Active Directory from this policy.

We have the security tab of the policy set to deny this group policy to this AD group but since the password settings are part of the computer configuration of a Group Policy, this deny permission has no effect - in other words, it would only deny settings in the user part of a Group Policy since that is processed at login time, not computer start-up time.

Loopback processing can't be used because it is designed to ensure the computer settings stay the same regardless of the user who logs in.

In short - we want to deny the computer settings of a Group Policy to an AD user group.

Thanks in advance.

RC
0
Comment
Question by:Levi Gwyn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 2000 total points
ID: 39195241
You won't be able to do that, the password policy linked at the domain applies to every user account and can't be blocked.   This only applies to the password policies no other policies work this way

Microsoft had a lot of complaints because people did want the ability to apply different policies to different users/groups   In Windows 2008 they introduced fine grained password policies

http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

There are also third party tools.   What is your domain and forest functional level?

Thanks

Mike
0
 
LVL 4

Author Comment

by:Levi Gwyn
ID: 39195265
Hi Mike,

Our forest/domain functional level is 2008 R2.  Also, our plan is to set all the password settings in the top level domain policy to "not enabled" and apply a unique policy to each OU with the password settings we want.  This worked in a test environment but the issue of denying an AD group still remains.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39195289
You won't be able to do that.  You are going to have to use fine grained password policies.   By the way if you have one Windows 8 or 2012 box (no DCs required) you can use the new version of ADAC which make managing FGPP much easier

http://technet.microsoft.com/en-us/library/jj574178.aspx

Thanks

Mike
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 3

Expert Comment

by:violageek
ID: 39197126
You can create separate password policies using ADSI edit and apply them to separate groups and not use the default domain password policy. The steps can be found at the link below:

http://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx#BKMK_1

Hope this helps!
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39199909
Though all has been said, I will add something to your understanding of GPO denials.
> we want to deny the computer settings of a Group Policy to an AD user group
What could be done with loopback processing is denying the application of user policies (and take the settings that are applied to the "loopbacked" computer instead) - never was it possible to prevent the application of computer policies through loopback processing.

But anyway, the denial you are looking for would need to be made at the object where the policy applies and that's at the computer objects that manage the domain user passwords, the DCs. So we can either apply the password policy to the DCs or leave it blank. As simple as that: all domain users or no one.
With PSOs however, we can finally apply to user objects and groups.
0
 
LVL 4

Author Comment

by:Levi Gwyn
ID: 39210736
We went with FGPP using ADSIEdit.  Thanks mkline71.  That worked well.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses
Course of the Month10 days, 4 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question