Re: Security Filtering in Group Policy
From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 05/06/04
- Next message: Laura E. Hunter \(MVP\): "Re: SUS Group Policy"
- Previous message: Kevin: "SUS Group Policy"
- In reply to: stnkmstrflx: "Security Filtering in Group Policy"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: Security Filtering in Group Policy"
- Reply: anonymous_at_discussions.microsoft.com: "Re: Security Filtering in Group Policy"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 6 May 2004 11:21:22 -0400
I might suggest that you also post this to the Softwareupdatesvcs News Group
as someone in there might be able to help as well.
It sounds like you have the GPO set up *mostly* properly from a technical
point of view. However, one thing that I have noticed that you did not
mention was that you created an Organizational Unit and placed all of the
computer account objects in that OU and then created / linked the GPO to
that OU. The fact that you are using a Security Group to filter to which
computer accounts this GPO is applied might lead me to think that the
computer accounts are located elsewhere - like in the default 'Computers'
container.
You have to link the GPO to an OU and that OU has to contain the objects (
either user account objects or computer account objects ) to which you want
that particular GPO to apply. The time that you would use a security group
to filter the GPO is when you have all of your users or computers in one OU
and you can not / do not want to change the OU structure ( say, maybe,
because you have several other GPOs linked to that OU and to restructure
things would really mess things up / cause a lot of extra work ) that you
currently have. In this case, you simply remove the Authenticated Users
from the GPO and replace it with a home-grown Security Group.
Is this what you have done?
HTH,
Cary
"stnkmstrflx" <anonymous@discussions.microsoft.com> wrote in message
news:953601c43378$26e0df20$a301280a@phx.gbl...
> I am having an issue when using Security Filtering in
> group policy that is pertaining to computer accounts in a
> security group. My current situation is as follows:
>
> -Created a GPO for rolling out SUS configs
> -Created a security global group called Hotfix and gave
> this group Read and Apply group policy rights to the GPO
> -Removed the Authenticated Users group from the DACL on
> the GPO
> -Added the computer objects that I wanted to apply the
> SUS configs to, into the Hotfix security group
> -Linked this GPO to the OU that contained the server
> computer objects that I want to roll out his fix to
> AD Setup:
> -Domain is in mixed mode.
> -We have prepped the forest with the 2k3 schema mods.
> -We have a mix of Win2k3 and Win2k domain controllers
> The problem is that under this setup, the computer
> objects aren't recieving the updates that I configured in
> the GPO. When I use RSoP to view the GPO processing on
> one of these boxes, the Hotfix GPO is showing up as a
> Denied (Security Filtering). Now, this is strange to me
> because I'm not explicitly denying rights to ANY object
> on this GPO. And to make it more interesting, if I do
> away with the security group, and just add a single
> computer object to the DACL (giving the object Read and
> Apply group policy rights), then it works fine. I guess
> my question is:
> -Has anyone seen a problem with computer objects in
> security groups, and assigning permissions to a group?
> I've done this before in 2000 with rolling out service
> packs and it worked fine there. Any suggestions would be
> greatly appreciated!
- Next message: Laura E. Hunter \(MVP\): "Re: SUS Group Policy"
- Previous message: Kevin: "SUS Group Policy"
- In reply to: stnkmstrflx: "Security Filtering in Group Policy"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: Security Filtering in Group Policy"
- Reply: anonymous_at_discussions.microsoft.com: "Re: Security Filtering in Group Policy"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
