Re: Block Group Policy Settings Based on Group Membership

From: Darren Mar-Elia (dmanonymous_at_discussions.microsoft.com)
Date: 08/27/04

• Next message: BOFH1234: "XP SP2 adm templates on windows 2003 server"
• Previous message: Chris Roy: "Folder Redirection not moving files"
• In reply to: Brian Jorgenson: "Re: Block Group Policy Settings Based on Group Membership"
• Next in thread: Bruce Sanderson: "Re: Block Group Policy Settings Based on Group Membership"
• Messages sorted by: [ date ] [ thread ]

---

Date: Fri, 27 Aug 2004 10:14:47 -0700

Brian-
Perhaps the issue here is that this security filtering means that, of the
users and computers who are targeted by a GPO, you can filter among them
using security groups. In other words. Let's say I have a GPO linked to the
Finance OU. And I have a bunch of users and groups in that OU. First off, by
virtue of being linked to that OU, any user policies I set on that GPO will
be processed by all users within that OU. But maybe I only want to apply
that GPO to a subset of the users in that GPO, who happen to belong to the
"Finance Lockdown" security group. I can then use the security filtering
feature in GPMC to control that GPO's effects within that OU. But the key
here is that security filtering must target users and computers that are
already processing the GPO by virtue of their position in AD and where that
GPO is linked. In other words, in my example above, lets say I had another
user, who is in the Engineering OU, but is a member of a security group
(let's call it "Other Users" ) that resides in the Finance OU. Because Group
Policy only applies to user and computer objects, no amount of security
filtering that I do on that Finance GPO for the "Others Users" group will
effect that user in the Engineering OU, because that user is not processing
the GPO linked to the Finance OU.

Well that was a fairly round-about description but hopefully it helps?

-- 
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
"Brian Jorgenson" <bjorgenson@charter.net> wrote in message 
news:34ec3ea7.0408270859.4d8feea8@posting.google.com...
> "Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message 
> news:<eRK4eC9iEHA.1712@TK2MSFTNGP09.phx.gbl>...
>> Hi Brian
>>
>> I'm not sure what the distinction is.  Can you explain the two methods
>> you're attempting to use in more detail?
>
> Here is the scoop: i am using Microsoft's Group Policy Management
> Tool. On the Scope tab where you can use security filterting, it
> specifically says that you can add a group, user, or computer for
> filtering. If I had a group, it does not work. It only works on users
> and computers. If I had builtin groups like Domain Users, Domain
> Admins, then those groups work but any group I create will not work.
> What am I missing?
>>
>> Kind regards
>> -- 
>> Mark Renoden [MSFT]
>> Windows Platform Support Team
>> Email: markreno@online.microsoft.com
>>
>> Please note you'll need to strip ".online" from my email address to email
>> me; I'll post a response back to the group.
>>
>> This posting is provided "AS IS" with no warranties, and confers no 
>> rights.
>>
>> "Brian Jorgenson" <bjorgenson@charter.net> wrote in message
>> news:34ec3ea7.0408260712.1b95ec32@posting.google.com...
>> > Kenneth MacDonald <K.MacDonald@ed.ac.uk> wrote in message
>> > news:<pan.2004.08.26.09.33.08.530138@ed.ac.uk>...
>> >> On Thu, 26 Aug 2004 08:35:50 +1000, Mark Renoden [MSFT] wrote:
>> >>
>> >> > Hi Brian
>> >> >
>> >> > You should be able to achieve this by denying Read and Apply for 
>> >> > this
>> >> > group.
>> >>
>> >> In fact, denying Apply is enough, and has the benefit that the user 
>> >> can
>> >> still read the GPO for reporting and listing/linking.
>> >>
>> >> Cheers,
>> >>
>> >> Kenny.
>> >
>> > What about the issue with security groups not working in the scope
>> > filtering? 

---

• Next message: BOFH1234: "XP SP2 adm templates on windows 2003 server"
• Previous message: Chris Roy: "Folder Redirection not moving files"
• In reply to: Brian Jorgenson: "Re: Block Group Policy Settings Based on Group Membership"
• Next in thread: Bruce Sanderson: "Re: Block Group Policy Settings Based on Group Membership"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Help with Security Filtering ... Security Tab for the GPO itself. ... Is there a way to see the ACL in the GPO that they are being applied to ... the computers, besides just noticing the changes live. ... Filtering" tab with 7 of the Security Groups listed, ... (microsoft.public.windows.server.active_directory) Re: Group policy to apply only to some workstations ... Another alternative is to leave the computers where they are, link the relevant GPO to that OU, and use security filtering to apply it only to the relevant client PCs. ... (microsoft.public.windows.server.sbs) GPO Not Being Applied ... I have server 2003 environment and have created a GPO where I want certain ... I have have created security groups and added the computers in there, ... created the GPO and used security filtering so the GPO ... (microsoft.public.windows.server.active_directory) Re: Exchange OWA 2003 Trusted Root Certificate ... Domain level GPO called Mail, ... Security to Apply, can I add the machines to the same User Group and then ... On the second method - just to clarify, if I already have my computers ... > that you want the Group Policy computer configuration to apply to. ... (microsoft.public.win2000.security) Re: GPO Not Being Applied ... the computers are not in the OU's where the policy is linked. ... So what I have done then is linked the GPO with security filtering at the ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)