Solved

Domain Security

Posted on 2016-08-23
5
98 Views
Last Modified: 2016-08-31
I already have my active directory tree and group policy in place.  I would like to be able to create a group that I could restrict access through a group policy object.  Is this possible?

Example:  OU=MPA
                          Users
                          Computers
                          Groups
I've already linked my Group Policy Objects to this group but I don't necessarily want "everyone" in that group to be restricted.  Can I create a new group (under groups) where I could manually add individuals that I deem problematic?
0
Comment
Question by:Mary Macchioni
  • 2
  • 2
5 Comments
 
LVL 16
ID: 41767366
Sure, and you can scope the GPO to that security group instead of the OU. Make sure that you keep it scoped to authenticated users as well, but make sure the permissions of the authenticated users group are set to not apply group policy.

MO
0
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 41767370
What type of access are you attempting to restrict?

NTFS?

Access to resources such as color printers or high speed scanners or publicly-visible electronic signboards?

How are these users problematic?

Are they attempting to perform tasks outside of their job responsibilities?
If so, whatever the appropriate controls placed, successes and failures for these controls should be logged to ensure administrators gather appropriate details.

Remember: Restrictions and controls are put in place to drive business decisions.  These controls MUST be monitored to ensure they are effective in performing the desired functions as expected.
0
 

Author Comment

by:Mary Macchioni
ID: 41770085
Michael,

So I have an OU which contains the users and computers for that OU.  Do I create a new group (under that OU) and call it say Security.  Then I scope it out to that group to authenticated users.  I'm not sure what you mean by making sure permissions of the authenticated users group are set to not apply group policy?  

The OU itself is link enabled to the default domain policy.  I created a GPO to set the restrictions I want and it works fine.  The only thing is that instead of moving all of the users into that specific OU we'd like to be able to assign users to that selected Security group to lock them down even further.

Can you tell me how I can set that up?
0
 
LVL 16

Accepted Solution

by:
Michael Ortega (Internetwerx, Inc.) earned 500 total points
ID: 41770279
You can apply group policy in a couple different ways. What I like to do is use security groups to apply policies to instead of trying to organize my OU's relative to how I apply group policy. Doing it by OU is less flexible in my opinion.

If you have a group of users that need PolicyA and another group of users that need PolicyB and they are all in an OU called Users, I would do the following:

1. Leave all users in the same OU as they already are
2. Create two new Security Groups called Policy Users Group A and Policy Users Group B
3. Put the appropriate users in each group
4. Create a GPO called PolicyA and then set the Security Filtering to include Policy Users Group A security group. You have to leave authenticated users group in there as well, but you need to navigate to Delegation, into the advanced settings and ensure that the Authenticated Users' group does not have "Apply group policy" checked or the policy will apply to all users in the OU that you ultimately link the GPO to, and that's not what you want. You want it to apply to the security group that you created only. NOTE: you cannot remove the authenticated users group entirely. It has to remain. Just set it to not apply group policy in delegation.
5. Create a GPO called PolicyB and then set the Security Filtering to included Policy Users Group B security group. Note the above about the authenticated users group.
6. Link the GPO at the Users OU.

MO
0
 

Author Closing Comment

by:Mary Macchioni
ID: 41778323
Thank you!
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question