No, Authenticated Users will not be running the GPO. You have to have the Apply Group Policy right in order for it to apply. Either by adding it manually through the Advanced button on the Delegation tab, or by using the security filtering tab, which does it for you, Having only read does not give you the ability to apply the GPO.
HTH Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.com From: James Rankin <kz2...@googlemail.com> To: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com> Date: 11/14/2012 08:39 AM Subject: Re: GPO issue It definitely wasn't inherited. One thing I have noticed though if you add the Authenticated Users group through the Security Filtering function you get Read and Apply GPO permissions. If you add it through the Delegation tab you can only apply Read permissions unless you go through the Advanced tab. If you've explicitly removed Authenticated Users from the Security Filter tab and add only GroupA and GroupB so that they are the groups receiving the GPO, if someone adds the Authenticated Users back via Delegation and gives them Read permissions, does that then apply the GPO to the Authenticated Users group even though you've removed them from the Security Filter? That's what I was trying to ask, but I think the fact I noticed above about the Apply GPO permission may have answered that question for me :-) On 14 November 2012 13:20, Christopher Bodnar <christopher_bod...@glic.com > wrote: You are correct, somehow the Authenticated Users was added to the Delegation tab, unless it was inherited, but I doubt that. Does it say No under the inherited column? Not sure what you mean by this: "And does this mean that the groups defined in the Security Filtering section will effectively be overridden? " Christopher Bodnar Enterprise Architect I, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 christopher_bod...@glic.com The Guardian Life Insurance Company of America www.guardianlife.com From: James Rankin <kz2...@googlemail.com> To: "NT System Admin Issues" <ntsysadmin@lyris.sunbelt-software.com > Date: 11/14/2012 07:11 AM Subject: GPO issue I have noticed that some GPOs in use here are Security Filtered to certain AD groups, and Authenticated Users has been removed from the default Security Filter. This is all very normal and good. However, switching to the Delegation tab of the GPO, I see Authenticated Users listed with Read permission - but not with the "(from Security Filtering)" suffix. This means that someone has specifically added Authenticated Users to the Delegation tab, I think? And does this mean that the groups defined in the Security Filtering section will effectively be overridden? I just want to check I am correct before I go complaining :-) I created a test GPO and it seems to indicate that I am correct, but I like to double-check first Cheers, -- James Rankin Technical Consultant (ACA, CCA, MCTS) http://appsensebigot.blogspot.co.uk ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- James Rankin Technical Consultant (ACA, CCA, MCTS) http://appsensebigot.blogspot.co.uk ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
<<image/jpeg>>
<<image/jpeg>>
