Solved

Security Group Not Taking GPO

Posted on 2014-02-12
21
974 Views
Last Modified: 2014-02-14
Experts,

It's me again. Another issue, which should be quite simple...
In my domain I created an OU with one Security Group in it. In this Security Group I have a bunch of members. I slapped a User Config'd GPO to this OU and linked it. Running the simulator on the OU, I see it applying the Default Domain Policy and the GPO, which is great, but RSOP on the client doesn't reflect the GPO settings.

Domain
-OU [GPO]
--Group
---Members

Open in new window

Now, the members in this Security Group are also members of Domain Users, Everyone, Users, and probably Authorized Users. Could this be the problem?
0
Comment
Question by:Michael L
  • 10
  • 6
  • 4
  • +1
21 Comments
 
LVL 21

Expert Comment

by:Joseph Moody
Comment Utility
It sounds like you have the GPO linked to the OU containing the Group. Are the users also in this OU? A GPO has to be linked to the object that is receiving it (users or computers).
0
 

Author Comment

by:Michael L
Comment Utility
Users are in the Group, so shouldn't they be in the OU, if the Group is? A GPO is linked to the OU.
0
 
LVL 21

Expert Comment

by:Joseph Moody
Comment Utility
The GPO must be linked to the OU that the users are a member of.
0
 

Author Comment

by:Michael L
Comment Utility
It is linked to the OU the Group is a member of. Do I need to put the users in the OU instead of the Group?
0
 
LVL 21

Expert Comment

by:Joseph Moody
Comment Utility
You need to link the GPO to the OU that the users are a member of.
0
 

Author Comment

by:Michael L
Comment Utility
Is it the same as if the users are a member of a group that is in the OU with the GPO linked to it.
0
 
LVL 14

Expert Comment

by:Raj-GT
Comment Utility
No it is not. You can only apply GPOs to users and computer objects. You can of course scope the objects using Security Groups but the GPO themselves need to be applied to an OU containing said objects.

Domain
-OU [GPO with apply to Group]
--Members
0
 

Author Comment

by:Michael L
Comment Utility
Ohhhh... ok, I'll be back :P
0
 

Author Comment

by:Michael L
Comment Utility
Ok, I have my members in the OU with the GPO linked to it. Problem is now, the GPO is being denied.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
No matter, you could use security filtering of GPO to grant access to security group and may be all users are member of that group
if you don't want to use security group, then authenticated users must be there in security filtering

But same time users must be reside in the OU \ sub OUs some where in the same OU as GPO is applied.
This is basic prerequisites for any GPO

Mahesh
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 21

Expert Comment

by:Joseph Moody
Comment Utility
Can you post a screenshot of the scope tab of your GPO?
0
 
LVL 21

Expert Comment

by:Joseph Moody
Comment Utility
You can see the scope tab under Item 3 on this page:

http://deployhappiness.com/top-10-ways-to-troubleshoot-group-policy/
0
 

Author Comment

by:Michael L
Comment Utility
Ok, GPO is being applied to the OU now (per RSOP on the OU), but RSOP on my users don't show it being applied.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
You may be having orphaned GPO issue, please delete orphaned GPOs if any and check if GPO is getting applied

You need to find orphaned GPOs in entire domain with below PowerShell script (Script can be run from 2008 R2 domain controllers only)
http://www.jhouseconsulting.com/2012/09/03/finding-orphaned-group-policy-objects-807
concept of Orphaned GPOs:
1.If the GPO is deleted directly through Active Directory Users and Computers or ADSI edit.
2.If the GPO was deleted by someone that had permissions to do so in AD, but not in SYSVOL. In this case, the AD portion of the GPO would be deleted but the SYSVOL portion of the GPO would be left behind.

before running PowerShell script, you must set PowerShell execution policy to unrestricted
by running below command in elevated PowerShell
Set-ExecutionPolicy Unrestricted
The command will ask you confirmation, there you need to select Y and hit enter
Then Also you need to import active directory PowerShell module 1st before running script by running below command
Import-Module ActiveDirectory

You must be having administrative rights on Group policy objects in domain
Domain admins membership will be just fine

Mahesh
0
 

Author Comment

by:Michael L
Comment Utility
I don't think GPOs were even being used before I took over, but I'l run this anyway, just to be sure. Thanks!
0
 

Author Comment

by:Michael L
Comment Utility
Ok, Server 2008 (non-R2) doesn't have Powershell? I made one change, though. I made the Security Group a member of Users/builtin. Checked the Scope, clicked Advance, made sure Security Group had Read and Apply GPOs checked, did an RSOP on client, and success! Does it make sense for that to have done the trick?
0
 
LVL 21

Expert Comment

by:Joseph Moody
Comment Utility
That sounds like the GPO itself wasn't scoped correctly. Under the scope tab, what groups are listed under Security Filtering?
0
 

Author Comment

by:Michael L
Comment Utility
Authenticated Users and the Security Group I had added.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
You don't need to add security group if authenticated users are added

Then it will apply to all users in that OU

If this is not your requirement  and you just wanted to apply GPO to particular users only in same OU, then you need to remove authenticated users from security filtering and need to add security group so that policy will apply to only security group members and not apply to all users in the OU

That make sense

Mahesh
0
 

Author Comment

by:Michael L
Comment Utility
Ok, So then Authenticated Users was sufficient. I guess I was worried that the GPO would apply to all Auth Users, but if it's only linked to the OU select members are in, only they will be affected.
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
Comment Utility
Yes, only users in that particular OU \ underneath sub OUs will get affected

Ex:
If OU contains 100 users and you wanted to apply policy on 50 users, then you should create security group, add those 50 users as member, remove authenticated users from security filtering and add that security group
If you not done in this way, policy will apply to all users in that particular OU because every user that is authenticated by active directory is authenticated user

If you apply this policy to domain level, then entire domain users will get affected

Mahesh
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now