Solved

GPO Security Filter: if two, is it AND or OR?  (Must have 'Authenticated Users'?)

Posted on 2014-04-02
3
427 Views
Last Modified: 2014-04-02
I'm a total newbie to active directory, so I'm sorry if this is a really dumb question, but I'm trying to push out FLASH 12.0.77.  I'm doing it as a MACHINE based software install of the MSI.

It's linked to everyone at my location.

I want to first test it with my "FLASH-TEST-GROUP" (which I put in the security filtering section).

a) In addition to my "flash-test-group", do I also need "authenticated users"?

b) If there are two items in the security filtering section, does it act as an AND or an OR??

Thanks,
Mike
0
Comment
Question by:mike2401
3 Comments
 
LVL 83

Accepted Solution

by:
oBdA earned 250 total points
ID: 39972412
Let's start with b): Just like NTFS ACLs, Security Filtering for GPOs is additive, or, as you put it, an "OR" relation. If an object is in any one of the groups in the Security Filtering field (and the object is in or under the OU to which the GPO is linked), the GPO will apply to this object.
So for a), if you leave "Authenticated Users", you don't need to bother with "flash-test-group", because "Authenticated Users" is already basically every domain member (computers included). In other words: remove "Authenticated Users" from the list if you only want to test it with "flash-test-group".
0
 
LVL 35

Assisted Solution

by:Joseph Daly
Joseph Daly earned 250 total points
ID: 39972415
A) You actually would not want the authenticated users in there as it would negate your Flash-test-group setting. Think of the security filtering the same way you think of NTFS security. If a user is a member of two groups the permissions get combined to the highest level.

B) See above.
0
 

Author Closing Comment

by:mike2401
ID: 39972589
Thank you both, that makes total sense !!!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now