[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

GPO Security Filter: if two, is it AND or OR?  (Must have 'Authenticated Users'?)

Posted on 2014-04-02
3
Medium Priority
?
465 Views
Last Modified: 2014-04-02
I'm a total newbie to active directory, so I'm sorry if this is a really dumb question, but I'm trying to push out FLASH 12.0.77.  I'm doing it as a MACHINE based software install of the MSI.

It's linked to everyone at my location.

I want to first test it with my "FLASH-TEST-GROUP" (which I put in the security filtering section).

a) In addition to my "flash-test-group", do I also need "authenticated users"?

b) If there are two items in the security filtering section, does it act as an AND or an OR??

Thanks,
Mike
0
Comment
Question by:mike2401
3 Comments
 
LVL 86

Accepted Solution

by:
oBdA earned 1000 total points
ID: 39972412
Let's start with b): Just like NTFS ACLs, Security Filtering for GPOs is additive, or, as you put it, an "OR" relation. If an object is in any one of the groups in the Security Filtering field (and the object is in or under the OU to which the GPO is linked), the GPO will apply to this object.
So for a), if you leave "Authenticated Users", you don't need to bother with "flash-test-group", because "Authenticated Users" is already basically every domain member (computers included). In other words: remove "Authenticated Users" from the list if you only want to test it with "flash-test-group".
0
 
LVL 35

Assisted Solution

by:Joseph Daly
Joseph Daly earned 1000 total points
ID: 39972415
A) You actually would not want the authenticated users in there as it would negate your Flash-test-group setting. Think of the security filtering the same way you think of NTFS security. If a user is a member of two groups the permissions get combined to the highest level.

B) See above.
0
 

Author Closing Comment

by:mike2401
ID: 39972589
Thank you both, that makes total sense !!!
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question