Solved

Domain Security

Posted on 2016-08-23
5
88 Views
Last Modified: 2016-08-31
I already have my active directory tree and group policy in place.  I would like to be able to create a group that I could restrict access through a group policy object.  Is this possible?

Example:  OU=MPA
                          Users
                          Computers
                          Groups
I've already linked my Group Policy Objects to this group but I don't necessarily want "everyone" in that group to be restricted.  Can I create a new group (under groups) where I could manually add individuals that I deem problematic?
0
Comment
Question by:Mary Macchioni
  • 2
  • 2
5 Comments
 
LVL 16
ID: 41767366
Sure, and you can scope the GPO to that security group instead of the OU. Make sure that you keep it scoped to authenticated users as well, but make sure the permissions of the authenticated users group are set to not apply group policy.

MO
0
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 41767370
What type of access are you attempting to restrict?

NTFS?

Access to resources such as color printers or high speed scanners or publicly-visible electronic signboards?

How are these users problematic?

Are they attempting to perform tasks outside of their job responsibilities?
If so, whatever the appropriate controls placed, successes and failures for these controls should be logged to ensure administrators gather appropriate details.

Remember: Restrictions and controls are put in place to drive business decisions.  These controls MUST be monitored to ensure they are effective in performing the desired functions as expected.
0
 

Author Comment

by:Mary Macchioni
ID: 41770085
Michael,

So I have an OU which contains the users and computers for that OU.  Do I create a new group (under that OU) and call it say Security.  Then I scope it out to that group to authenticated users.  I'm not sure what you mean by making sure permissions of the authenticated users group are set to not apply group policy?  

The OU itself is link enabled to the default domain policy.  I created a GPO to set the restrictions I want and it works fine.  The only thing is that instead of moving all of the users into that specific OU we'd like to be able to assign users to that selected Security group to lock them down even further.

Can you tell me how I can set that up?
0
 
LVL 16

Accepted Solution

by:
Michael Ortega (Internetwerx, Inc.) earned 500 total points
ID: 41770279
You can apply group policy in a couple different ways. What I like to do is use security groups to apply policies to instead of trying to organize my OU's relative to how I apply group policy. Doing it by OU is less flexible in my opinion.

If you have a group of users that need PolicyA and another group of users that need PolicyB and they are all in an OU called Users, I would do the following:

1. Leave all users in the same OU as they already are
2. Create two new Security Groups called Policy Users Group A and Policy Users Group B
3. Put the appropriate users in each group
4. Create a GPO called PolicyA and then set the Security Filtering to include Policy Users Group A security group. You have to leave authenticated users group in there as well, but you need to navigate to Delegation, into the advanced settings and ensure that the Authenticated Users' group does not have "Apply group policy" checked or the policy will apply to all users in the OU that you ultimately link the GPO to, and that's not what you want. You want it to apply to the security group that you created only. NOTE: you cannot remove the authenticated users group entirely. It has to remain. Just set it to not apply group policy in delegation.
5. Create a GPO called PolicyB and then set the Security Filtering to included Policy Users Group B security group. Note the above about the authenticated users group.
6. Link the GPO at the Users OU.

MO
0
 

Author Closing Comment

by:Mary Macchioni
ID: 41778323
Thank you!
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The 21st century solution to antiquated pagers.
Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question