RE: [ActiveDir] Group Policy question

[Tucker, Mark]

Title: Message

Chris, you are correct, you can use security groups to filter where a GPO gets applied, but GPOs still only get applied to a user or computer object.   So, in your example you have OU1 and OU2.  Lets say you are using security groups to filter the GPOs so that in OU1 the GPO only gets applied to users in SecurityGroup1 and in OU2 the GPO only gets applied to users in SecurityGroup2.   If you have a user in OU1 who is a member of both security groups, he will still only get the GPO applied to OU1 because that is where the user object resides.  Here is some more information from the W2K resource kit.   How Security Filtering Works Security group filtering can be inclusive as well as exclusive. Thus, you can prevent a GPO from applying to a certain group, or you can create a GPO that applies only to a certain security group. To employ security filtering, use the Security tab of a given GPO to set access permissions — that is, discretionary access control lists (DACLs) — to allow or deny access to the GPO by specified groups. By default, all GPOs that have been linked to a site, domain, or OU affect all users and computers that are contained in the linked site, domain, or OU and any child OUs. By changing the Access Control Entries (ACEs) within a DACL, the effect of any GPO can be modified to exclude or include the members of any security group. For a GPO to apply to a group, user, or computer, both Apply Group Policy and Read ACEs must be set to Allow. By default, both the Apply Group Policy and Read ACE permissions are set to Allow for Authenticated Users. Everyone in the organization is automatically an Authenticated User. Therefore, the default behavior is for every GPO to apply to every Authenticated User. Table 4.3 lists the default security permission settings for a GPO. Table 4.3 Default Security Permission Settings for a GPO Groups or Users Security permission Authenticated User Read with Apply Group Policy ACE Domain Administrators Enterprise Administrators Creator Owner Local System Full Control without Apply Group Policy ACE Even though the Apply Group Policy ACE for Administrators is unchecked, Administrators by default are still affected by every GPO because they are members of Authenticated Users. To prevent a GPO from applying to Administrators, or any other specific group, you need to remove the Apply Group Policy ACE by clearing the Allow Group Policy for Authenticated Users check box. You can then explicitly set Apply Group Policy for the individual security groups that must receive the policy settings. By following this procedure you can then use the Apply Group Policy ACE to apply Group Policy only to those groups of users that are your intended target. Note When Read is allowed and Apply Group Policy is not allowed, the GPO will still be processed by the user, even though it is not applied. Therefore, you might also want to consider removing the Read ACE for performance reasons. In this case, the user can no longer see the GPO, so it will not even be processed. Alternatively, you can set a Deny ACE to prevent a GPO from applying to a group of users. A Deny ACE setting for any group has precedence over any Allow ACE that might apply to a given user or computer because of their membership in another group. Use the Deny ACE with caution. For more information about using security settings, see "Delegating Control of Group Policy" in this chapter. Note Non-administrators can log on to a domain controller only if they have Log On Locally permission. This is part of the Default Domain Controllers GPO, which is linked to the Domain Controllers OU in Active Directory Users and Computers. The setting is found under Computer Configuration/Windows Settings/Security Settings/Local Policies/User Rights Assignment/Log on locally. Create a security group containing those users who must be able to log on locally to the domain controller, and add them to the list of groups shown on the Log On Locally form. Remember that computer policy for the domain controller must refresh before the new permissions take effect.   -Mark       -----Original Message----- From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2003 1:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy question a user can be a member of more then one group. if a user is a member of two groups that are in seperate OU's, then the user can have group policy applied to two seperate groups based on ACL's within each OU? I don't need an object existing in two seperate OU's. I just need two seperate groups with a user being in each group, with each group in seperate OU's.     Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crenshaw, Jason Sent: Monday, July 21, 2003 12:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Group Policy question                 What is group policy or a GPO?   Group policy is a new Windows term for common configuration settings. An administrator can create a group policy which applies to users or computers. This group policy can set certain computer settings such as who can login to the computer or user settings such whether the user can run control panel applets. Group policy is similar to what was called policy in NT4, but there is a vastly improved performance together with a greater number of common configuration settings. A GPO, or group policy object, is a set of settings applied to a site, domain or OU container. The GPO then is applied to every machine or user object under that container. One can configure a GPO with ACLs to restrict the computers or users to which it is applied.   This also suggests that it is technically impossible to do since a user object can only exist in one container or OU.   Hope that this answers your question.   Jason   -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2003 11:29 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Group Policy question   I believe there's nothing in TechNet on it because its technically impossible to do. You can't have an object in more than one OU.     -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -----Original Message----- From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Monday, July 21, 2003 12:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy question Guido, that's not quite what I had in mind. Two OU's that are not hierarchical to each other. It could be a flat OU architecture. Two seperate OU's that have gpo's applied to a group. If a user is a member of both groups, which gpo will take precedence? Maybe it's a dumb question but it was posed to me by a higher up and I can't find anything about this scenario in technet.     Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Monday, July 21, 2003 10:43 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Group Policy question I guess you're using the groups to filter for whom a GPO is applied - but you're not applying a GPO to a group ;-) It doesn't matter which OU the group resides in, it simply matters, which OU the respective GPO is applied to.   Assuming you're talking about applying two GPOs to the same OU - each with a separate Group used for filtering, then you can set the priority of the GPO processing order directly on the OU on the Group Policy tab.   /Guido   From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Montag, 21. Juli 2003 17:18 To: [EMAIL PROTECTED] Scenario: a user is a member of two groups. Each group is in a seperate OU. A gpo is applied to each group. Which gpo will take precedence for that user? In other words, which will be the last to be applied and get the settings applied to that user?   Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477