Solved

Security Group Not Taking GPO

Posted on 2014-02-12
21
1,055 Views
Last Modified: 2014-02-14
Experts,

It's me again. Another issue, which should be quite simple...
In my domain I created an OU with one Security Group in it. In this Security Group I have a bunch of members. I slapped a User Config'd GPO to this OU and linked it. Running the simulator on the OU, I see it applying the Default Domain Policy and the GPO, which is great, but RSOP on the client doesn't reflect the GPO settings.

Domain
-OU [GPO]
--Group
---Members

Open in new window

Now, the members in this Security Group are also members of Domain Users, Everyone, Users, and probably Authorized Users. Could this be the problem?
0
Comment
Question by:Michael L
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 6
  • 4
  • +1
21 Comments
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 39853677
It sounds like you have the GPO linked to the OU containing the Group. Are the users also in this OU? A GPO has to be linked to the object that is receiving it (users or computers).
0
 

Author Comment

by:Michael L
ID: 39853690
Users are in the Group, so shouldn't they be in the OU, if the Group is? A GPO is linked to the OU.
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 39853709
The GPO must be linked to the OU that the users are a member of.
0
The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

 

Author Comment

by:Michael L
ID: 39853715
It is linked to the OU the Group is a member of. Do I need to put the users in the OU instead of the Group?
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 39853773
You need to link the GPO to the OU that the users are a member of.
0
 

Author Comment

by:Michael L
ID: 39853780
Is it the same as if the users are a member of a group that is in the OU with the GPO linked to it.
0
 
LVL 14

Expert Comment

by:Raj-GT
ID: 39853901
No it is not. You can only apply GPOs to users and computer objects. You can of course scope the objects using Security Groups but the GPO themselves need to be applied to an OU containing said objects.

Domain
-OU [GPO with apply to Group]
--Members
0
 

Author Comment

by:Michael L
ID: 39853916
Ohhhh... ok, I'll be back :P
0
 

Author Comment

by:Michael L
ID: 39854045
Ok, I have my members in the OU with the GPO linked to it. Problem is now, the GPO is being denied.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39854103
No matter, you could use security filtering of GPO to grant access to security group and may be all users are member of that group
if you don't want to use security group, then authenticated users must be there in security filtering

But same time users must be reside in the OU \ sub OUs some where in the same OU as GPO is applied.
This is basic prerequisites for any GPO

Mahesh
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 39854109
Can you post a screenshot of the scope tab of your GPO?
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 39854114
You can see the scope tab under Item 3 on this page:

http://deployhappiness.com/top-10-ways-to-troubleshoot-group-policy/
0
 

Author Comment

by:Michael L
ID: 39854274
Ok, GPO is being applied to the OU now (per RSOP on the OU), but RSOP on my users don't show it being applied.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39855545
You may be having orphaned GPO issue, please delete orphaned GPOs if any and check if GPO is getting applied

You need to find orphaned GPOs in entire domain with below PowerShell script (Script can be run from 2008 R2 domain controllers only)
http://www.jhouseconsulting.com/2012/09/03/finding-orphaned-group-policy-objects-807
concept of Orphaned GPOs:
1.If the GPO is deleted directly through Active Directory Users and Computers or ADSI edit.
2.If the GPO was deleted by someone that had permissions to do so in AD, but not in SYSVOL. In this case, the AD portion of the GPO would be deleted but the SYSVOL portion of the GPO would be left behind.

before running PowerShell script, you must set PowerShell execution policy to unrestricted
by running below command in elevated PowerShell
Set-ExecutionPolicy Unrestricted
The command will ask you confirmation, there you need to select Y and hit enter
Then Also you need to import active directory PowerShell module 1st before running script by running below command
Import-Module ActiveDirectory

You must be having administrative rights on Group policy objects in domain
Domain admins membership will be just fine

Mahesh
0
 

Author Comment

by:Michael L
ID: 39856350
I don't think GPOs were even being used before I took over, but I'l run this anyway, just to be sure. Thanks!
0
 

Author Comment

by:Michael L
ID: 39856887
Ok, Server 2008 (non-R2) doesn't have Powershell? I made one change, though. I made the Security Group a member of Users/builtin. Checked the Scope, clicked Advance, made sure Security Group had Read and Apply GPOs checked, did an RSOP on client, and success! Does it make sense for that to have done the trick?
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 39856931
That sounds like the GPO itself wasn't scoped correctly. Under the scope tab, what groups are listed under Security Filtering?
0
 

Author Comment

by:Michael L
ID: 39857587
Authenticated Users and the Security Group I had added.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39858183
You don't need to add security group if authenticated users are added

Then it will apply to all users in that OU

If this is not your requirement  and you just wanted to apply GPO to particular users only in same OU, then you need to remove authenticated users from security filtering and need to add security group so that policy will apply to only security group members and not apply to all users in the OU

That make sense

Mahesh
0
 

Author Comment

by:Michael L
ID: 39859093
Ok, So then Authenticated Users was sufficient. I guess I was worried that the GPO would apply to all Auth Users, but if it's only linked to the OU select members are in, only they will be affected.
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39859604
Yes, only users in that particular OU \ underneath sub OUs will get affected

Ex:
If OU contains 100 users and you wanted to apply policy on 50 users, then you should create security group, add those 50 users as member, remove authenticated users from security filtering and add that security group
If you not done in this way, policy will apply to all users in that particular OU because every user that is authenticated by active directory is authenticated user

If you apply this policy to domain level, then entire domain users will get affected

Mahesh
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Here's a look at newsworthy articles and community happenings during the last month.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question