Re: Security Groups in OUs

From: Darren Mar-Elia (dmanonymous_at_discussions.microsoft.com)
Date: 09/17/04 

Date: Fri, 17 Sep 2004 10:26:37 -0700

Awesome response Cary. Very helpful. Thanks for that! 

-- 
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
http://www.gpoguy.com
"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message 
news:OegdbLNnEHA.1296@TK2MSFTNGP09.phx.gbl...
> Good morning, Darren!  Good morning, Matt!
>
> Darren, I am going to jump in for a second.  Hope that you do not mind. 
> You
> are definitely the 'gpoguy' ;-)
>
> Matt,
>
> What Darren is saying is that only the user account objects and the 
> computer
> account objects that are located in an OU to which the GPO is linked will 
> be
> affected.  What Darren means by filtering via group membership is that, by
> default, the 'Authenticated Users' security group is granted the READ and
> APPLY GROUP POLICY rights to the GPO.  This means, simplified, that any 
> user
> account or computer account located in this particular OU that 
> authenticates
> is going to be able to both read and apply the Group Policies linked to 
> that
> OU.  You can change this, however.
>
> Let's say that you have an OU in which there are 55 user account objects.
> Let's just say that we are going to disable the Display Tab in the Control
> Panel ( this seems to be a popular example, so let's just go with it ).
> But - and this is the big part - the CEO and her three Assitants are in
> this OU -AND- they absolutely must be able to access the Display Tab ( the
> CEO normally likes to use 800x600 but gets really annoyed when she is
> looking at Excel spreadsheets as 800x600 is too small - so she changes it 
> to
> 1024x768 ).  If you apply this GPO and they are affected she will blow her
> top and you could be hitting the pavement really soon!  So, what are you
> going to do?
>
> Easy!  If one does not already exist, create a security group that 
> includes
> all of the user account objects that are located in this OU -MINUS the CEO
> and her three Assistants - and add this group to the Security tab on the
> 'Hide Display' GPO.  You would also have to remove the Authenticated Users
> group.  Do not forget to give the group that you created both the READ and
> APPLY GROUP POLICY rights!
>
> Now, if you did not want to create a group with 51 members - creating one
> with only four members is probably a bit faster, not to mention in this
> situation it probably already exists! - then you could use the security
> group that has the CEO and her three Assistants as members and simply add
> that group to the Security tab of the GPO ( and you would not remove the
> Authenticated Users in this case ) and give this group an explicit DENY
> either to READ or to APPLY GROUP POLICY - or both!
>
> I hope that this clarifies things even more for you.
>
> Cary
>
>
> "Darren Mar-Elia" <dmanonymous@discussions.microsoft.com> wrote in message
> news:ebbgP7MnEHA.3968@TK2MSFTNGP11.phx.gbl...
>> Matt-
>> Only user and computer objects process GPOs. However, you can filter 
>> which
>> user and computer objects within a scope of management process a GPO 
>> using
>> security groups. Does that make sense?
>>
>> -- 
>> Darren Mar-Elia
>> MS-MVP-Windows Server--Group Policy
>> http://www.gpoguy.com
>>
>>
>>
>> "matt" <mkmitchell@hotmail.com> wrote in message
>> news:%23oruLLMnEHA.3396@tk2msftngp13.phx.gbl...
>> > What type of objects do Group Policies get applied to in OUs?  Is it
> just
>> > user and computer accounts, or do the members of a security group
> located
>> > in
>> > the OU also receive the OU's Group Policies (granted they have access
>> > permission to the Group Policy Object)?
>> >
>> > Emperically, I've found that the answer to my question is members of
>> > security groups in the OU do not get the Group Policy, but I have not
>> > found
>> > this documented.
>> >
>> > Thanks in advance for any insight.
>> >
>> > Matt
>> >
>> >
>>
>>
>
>
Loading