Solved

Domain Security

Posted on 2016-08-23
5
106 Views
Last Modified: 2016-08-31
I already have my active directory tree and group policy in place.  I would like to be able to create a group that I could restrict access through a group policy object.  Is this possible?

Example:  OU=MPA
                          Users
                          Computers
                          Groups
I've already linked my Group Policy Objects to this group but I don't necessarily want "everyone" in that group to be restricted.  Can I create a new group (under groups) where I could manually add individuals that I deem problematic?
0
Comment
Question by:Mary Macchioni
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 16

Expert Comment

by:Michael Ortega
ID: 41767366
Sure, and you can scope the GPO to that security group instead of the OU. Make sure that you keep it scoped to authenticated users as well, but make sure the permissions of the authenticated users group are set to not apply group policy.

MO
0
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 41767370
What type of access are you attempting to restrict?

NTFS?

Access to resources such as color printers or high speed scanners or publicly-visible electronic signboards?

How are these users problematic?

Are they attempting to perform tasks outside of their job responsibilities?
If so, whatever the appropriate controls placed, successes and failures for these controls should be logged to ensure administrators gather appropriate details.

Remember: Restrictions and controls are put in place to drive business decisions.  These controls MUST be monitored to ensure they are effective in performing the desired functions as expected.
0
 

Author Comment

by:Mary Macchioni
ID: 41770085
Michael,

So I have an OU which contains the users and computers for that OU.  Do I create a new group (under that OU) and call it say Security.  Then I scope it out to that group to authenticated users.  I'm not sure what you mean by making sure permissions of the authenticated users group are set to not apply group policy?  

The OU itself is link enabled to the default domain policy.  I created a GPO to set the restrictions I want and it works fine.  The only thing is that instead of moving all of the users into that specific OU we'd like to be able to assign users to that selected Security group to lock them down even further.

Can you tell me how I can set that up?
0
 
LVL 16

Accepted Solution

by:
Michael Ortega earned 500 total points
ID: 41770279
You can apply group policy in a couple different ways. What I like to do is use security groups to apply policies to instead of trying to organize my OU's relative to how I apply group policy. Doing it by OU is less flexible in my opinion.

If you have a group of users that need PolicyA and another group of users that need PolicyB and they are all in an OU called Users, I would do the following:

1. Leave all users in the same OU as they already are
2. Create two new Security Groups called Policy Users Group A and Policy Users Group B
3. Put the appropriate users in each group
4. Create a GPO called PolicyA and then set the Security Filtering to include Policy Users Group A security group. You have to leave authenticated users group in there as well, but you need to navigate to Delegation, into the advanced settings and ensure that the Authenticated Users' group does not have "Apply group policy" checked or the policy will apply to all users in the OU that you ultimately link the GPO to, and that's not what you want. You want it to apply to the security group that you created only. NOTE: you cannot remove the authenticated users group entirely. It has to remain. Just set it to not apply group policy in delegation.
5. Create a GPO called PolicyB and then set the Security Filtering to included Policy Users Group B security group. Note the above about the authenticated users group.
6. Link the GPO at the Users OU.

MO
0
 

Author Closing Comment

by:Mary Macchioni
ID: 41778323
Thank you!
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
OnPage: Incident management and secure messaging on your smartphone
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question