Re: GPO Security Filtering

From: Darren Mar-Elia (dmanonymous_at_discussions.microsoft.com)
Date: 08/17/04

• Next message: Roger Abell [MVP]: "Re: Desktop restriction on Terminal Server"
• Previous message: Jim Smith: "GPO Security Filtering"
• In reply to: Jim Smith: "GPO Security Filtering"
• Next in thread: Jimmy Andersson [MVP]: "Re: GPO Security Filtering"
• Messages sorted by: [ date ] [ thread ]

---

Date: Mon, 16 Aug 2004 18:08:52 -0700

Jim-
As you've probably noticed, a GPO grants Authenticated Users the 'read' and
'apply group policy' permissions by default when its created. This means
that any user or computer under its influence will process the GPO by
default. This is usually ok unless you further need to filter the policy. I
try avoid removing the default Authenticated User permission unless I
really, truly need to filter GPO application. It just makes it simpler to
troubleshoot and maintain policy if you're only using security group
filtering when you absolutely need to, for exceptions rather than for normal
GPO processing. That would be my recommendation.

-- 
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
"Jim Smith" <hous200@yahoo.com> wrote in message 
news:OX3xe8%23gEHA.3320@TK2MSFTNGP11.phx.gbl...
> What are recommendation's for setting permissions on GPO's?  Should the
> settings apply only to users and groups that are affected by the GPO, or 
> to
> a more general Authenticated Users?
>
> In the GPMC, on the Scope tab for a GPO there is a section on the lower 
> half
> titled 'Security Filtering' with the wording 'The settings in the GPO can
> only apply to the following groups, users, and computers:'
>
> Thanks for everyone's input.
>
> 

---

• Next message: Roger Abell [MVP]: "Re: Desktop restriction on Terminal Server"
• Previous message: Jim Smith: "GPO Security Filtering"
• In reply to: Jim Smith: "GPO Security Filtering"
• Next in thread: Jimmy Andersson [MVP]: "Re: GPO Security Filtering"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: IPSec GPO -- Cannot Save ... 80070005 -- sounds like a permissions error to me. ... It's a permission on the GPO Write/change to alter that policy ... If you are creating a new GPO then you need "Link Group Policy" on the OU to ... IPsec policies, unlike the 2003/XP policy options, and allow to save ... (microsoft.public.windows.server.active_directory) Re: GPO Management Delegation ... I checked the permissions on the Policy ... permission on that folder. ... grayed out and it will ask for the name of the new GPO. ... (microsoft.public.windows.server.active_directory) Re: Exchange OWA 2003 Trusted Root Certificate ... > So you're going to explain to me how Group Policy works now? ... When I say Policy, I mean it in a broad sense, I am referring to the GPO, ... which as you admitted defaults to "apply" to the Authenticated Users. ... > One cannot be a member of a GPO. ... (microsoft.public.win2000.security) Re: I thought I knew Group Policy but Obviously I dont ... you said I should have enabled this feature in that the Default Domain Policy. ... > the settings that i gave you are so that the policy is not applied to your ... > DC's or any computer objects that fall into the scope of the gpo that has ... >>> groupinstread of the Authenticated Users default. ... (microsoft.public.win2000.group_policy) Re: Help with Security Filtering ... What is the difference btn Everyone and Authenticated users? ... For something like Applying Group Policy nothing important ... The Security Properties for the GPO is what we are talking about. ... Some policies are applied at refresh and some can only be applied at next ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.group_policy  > 2004-08