Solved

GPO Security Filter: if two, is it AND or OR?  (Must have 'Authenticated Users'?)

Posted on 2014-04-02
3
437 Views
Last Modified: 2014-04-02
I'm a total newbie to active directory, so I'm sorry if this is a really dumb question, but I'm trying to push out FLASH 12.0.77.  I'm doing it as a MACHINE based software install of the MSI.

It's linked to everyone at my location.

I want to first test it with my "FLASH-TEST-GROUP" (which I put in the security filtering section).

a) In addition to my "flash-test-group", do I also need "authenticated users"?

b) If there are two items in the security filtering section, does it act as an AND or an OR??

Thanks,
Mike
0
Comment
Question by:mike2401
3 Comments
 
LVL 84

Accepted Solution

by:
oBdA earned 250 total points
ID: 39972412
Let's start with b): Just like NTFS ACLs, Security Filtering for GPOs is additive, or, as you put it, an "OR" relation. If an object is in any one of the groups in the Security Filtering field (and the object is in or under the OU to which the GPO is linked), the GPO will apply to this object.
So for a), if you leave "Authenticated Users", you don't need to bother with "flash-test-group", because "Authenticated Users" is already basically every domain member (computers included). In other words: remove "Authenticated Users" from the list if you only want to test it with "flash-test-group".
0
 
LVL 35

Assisted Solution

by:Joseph Daly
Joseph Daly earned 250 total points
ID: 39972415
A) You actually would not want the authenticated users in there as it would negate your Flash-test-group setting. Think of the security filtering the same way you think of NTFS security. If a user is a member of two groups the permissions get combined to the highest level.

B) See above.
0
 

Author Closing Comment

by:mike2401
ID: 39972589
Thank you both, that makes total sense !!!
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question