Solved

Domain Security

Posted on 2016-08-23
5
75 Views
Last Modified: 2016-08-31
I already have my active directory tree and group policy in place.  I would like to be able to create a group that I could restrict access through a group policy object.  Is this possible?

Example:  OU=MPA
                          Users
                          Computers
                          Groups
I've already linked my Group Policy Objects to this group but I don't necessarily want "everyone" in that group to be restricted.  Can I create a new group (under groups) where I could manually add individuals that I deem problematic?
0
Comment
Question by:Mary Macchioni
  • 2
  • 2
5 Comments
 
LVL 16
ID: 41767366
Sure, and you can scope the GPO to that security group instead of the OU. Make sure that you keep it scoped to authenticated users as well, but make sure the permissions of the authenticated users group are set to not apply group policy.

MO
0
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 41767370
What type of access are you attempting to restrict?

NTFS?

Access to resources such as color printers or high speed scanners or publicly-visible electronic signboards?

How are these users problematic?

Are they attempting to perform tasks outside of their job responsibilities?
If so, whatever the appropriate controls placed, successes and failures for these controls should be logged to ensure administrators gather appropriate details.

Remember: Restrictions and controls are put in place to drive business decisions.  These controls MUST be monitored to ensure they are effective in performing the desired functions as expected.
0
 

Author Comment

by:Mary Macchioni
ID: 41770085
Michael,

So I have an OU which contains the users and computers for that OU.  Do I create a new group (under that OU) and call it say Security.  Then I scope it out to that group to authenticated users.  I'm not sure what you mean by making sure permissions of the authenticated users group are set to not apply group policy?  

The OU itself is link enabled to the default domain policy.  I created a GPO to set the restrictions I want and it works fine.  The only thing is that instead of moving all of the users into that specific OU we'd like to be able to assign users to that selected Security group to lock them down even further.

Can you tell me how I can set that up?
0
 
LVL 16

Accepted Solution

by:
Michael Ortega (Internetwerx, Inc.) earned 500 total points
ID: 41770279
You can apply group policy in a couple different ways. What I like to do is use security groups to apply policies to instead of trying to organize my OU's relative to how I apply group policy. Doing it by OU is less flexible in my opinion.

If you have a group of users that need PolicyA and another group of users that need PolicyB and they are all in an OU called Users, I would do the following:

1. Leave all users in the same OU as they already are
2. Create two new Security Groups called Policy Users Group A and Policy Users Group B
3. Put the appropriate users in each group
4. Create a GPO called PolicyA and then set the Security Filtering to include Policy Users Group A security group. You have to leave authenticated users group in there as well, but you need to navigate to Delegation, into the advanced settings and ensure that the Authenticated Users' group does not have "Apply group policy" checked or the policy will apply to all users in the OU that you ultimately link the GPO to, and that's not what you want. You want it to apply to the security group that you created only. NOTE: you cannot remove the authenticated users group entirely. It has to remain. Just set it to not apply group policy in delegation.
5. Create a GPO called PolicyB and then set the Security Filtering to included Policy Users Group B security group. Note the above about the authenticated users group.
6. Link the GPO at the Users OU.

MO
0
 

Author Closing Comment

by:Mary Macchioni
ID: 41778323
Thank you!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Every computer eventually fails. When that happens, your valuable data is only as safe as your current backup.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

943 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

4 Experts available now in Live!

Get 1:1 Help Now