• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 147
  • Last Modified:

Domain Security

I already have my active directory tree and group policy in place.  I would like to be able to create a group that I could restrict access through a group policy object.  Is this possible?

Example:  OU=MPA
I've already linked my Group Policy Objects to this group but I don't necessarily want "everyone" in that group to be restricted.  Can I create a new group (under groups) where I could manually add individuals that I deem problematic?
Mary Macchioni
Mary Macchioni
  • 2
  • 2
1 Solution
Michael OrtegaSales & Systems EngineerCommented:
Sure, and you can scope the GPO to that security group instead of the OU. Make sure that you keep it scoped to authenticated users as well, but make sure the permissions of the authenticated users group are set to not apply group policy.

Darrell PorterEnterprise Business Process ArchitectCommented:
What type of access are you attempting to restrict?


Access to resources such as color printers or high speed scanners or publicly-visible electronic signboards?

How are these users problematic?

Are they attempting to perform tasks outside of their job responsibilities?
If so, whatever the appropriate controls placed, successes and failures for these controls should be logged to ensure administrators gather appropriate details.

Remember: Restrictions and controls are put in place to drive business decisions.  These controls MUST be monitored to ensure they are effective in performing the desired functions as expected.
Mary MacchioniAuthor Commented:

So I have an OU which contains the users and computers for that OU.  Do I create a new group (under that OU) and call it say Security.  Then I scope it out to that group to authenticated users.  I'm not sure what you mean by making sure permissions of the authenticated users group are set to not apply group policy?  

The OU itself is link enabled to the default domain policy.  I created a GPO to set the restrictions I want and it works fine.  The only thing is that instead of moving all of the users into that specific OU we'd like to be able to assign users to that selected Security group to lock them down even further.

Can you tell me how I can set that up?
Michael OrtegaSales & Systems EngineerCommented:
You can apply group policy in a couple different ways. What I like to do is use security groups to apply policies to instead of trying to organize my OU's relative to how I apply group policy. Doing it by OU is less flexible in my opinion.

If you have a group of users that need PolicyA and another group of users that need PolicyB and they are all in an OU called Users, I would do the following:

1. Leave all users in the same OU as they already are
2. Create two new Security Groups called Policy Users Group A and Policy Users Group B
3. Put the appropriate users in each group
4. Create a GPO called PolicyA and then set the Security Filtering to include Policy Users Group A security group. You have to leave authenticated users group in there as well, but you need to navigate to Delegation, into the advanced settings and ensure that the Authenticated Users' group does not have "Apply group policy" checked or the policy will apply to all users in the OU that you ultimately link the GPO to, and that's not what you want. You want it to apply to the security group that you created only. NOTE: you cannot remove the authenticated users group entirely. It has to remain. Just set it to not apply group policy in delegation.
5. Create a GPO called PolicyB and then set the Security Filtering to included Policy Users Group B security group. Note the above about the authenticated users group.
6. Link the GPO at the Users OU.

Mary MacchioniAuthor Commented:
Thank you!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now