Solved

GPO Security Filter: if two, is it AND or OR?  (Must have 'Authenticated Users'?)

Posted on 2014-04-02
3
429 Views
Last Modified: 2014-04-02
I'm a total newbie to active directory, so I'm sorry if this is a really dumb question, but I'm trying to push out FLASH 12.0.77.  I'm doing it as a MACHINE based software install of the MSI.

It's linked to everyone at my location.

I want to first test it with my "FLASH-TEST-GROUP" (which I put in the security filtering section).

a) In addition to my "flash-test-group", do I also need "authenticated users"?

b) If there are two items in the security filtering section, does it act as an AND or an OR??

Thanks,
Mike
0
Comment
Question by:mike2401
3 Comments
 
LVL 83

Accepted Solution

by:
oBdA earned 250 total points
ID: 39972412
Let's start with b): Just like NTFS ACLs, Security Filtering for GPOs is additive, or, as you put it, an "OR" relation. If an object is in any one of the groups in the Security Filtering field (and the object is in or under the OU to which the GPO is linked), the GPO will apply to this object.
So for a), if you leave "Authenticated Users", you don't need to bother with "flash-test-group", because "Authenticated Users" is already basically every domain member (computers included). In other words: remove "Authenticated Users" from the list if you only want to test it with "flash-test-group".
0
 
LVL 35

Assisted Solution

by:Joseph Daly
Joseph Daly earned 250 total points
ID: 39972415
A) You actually would not want the authenticated users in there as it would negate your Flash-test-group setting. Think of the security filtering the same way you think of NTFS security. If a user is a member of two groups the permissions get combined to the highest level.

B) See above.
0
 

Author Closing Comment

by:mike2401
ID: 39972589
Thank you both, that makes total sense !!!
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

948 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now