Re: Authenticated Users vs. Individual Users - Scope problem

From: "Florian Frommherz [MVP]" <florian@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 05 Dec 2007 17:10:03 +0100

Howdie!

jlinhrst schrieb:

It is a Computer Configuration Policy that I am talking about. I suppose I'm a bit fuzzy on the whole 'adding the Domain Computers group.' Could you give me a bit more information about how that is applied?

Look, it's quite simple:
In order to be able to apply a policy, two things need to be given:
(a) the objects needs to be in the scope of the policy (in the OU or SubOU) and
(b) the object needs to have "Read" and "Apply Group Policy" permissions on the GPO.

For "object(s)", you can fill in user accounts and computer accounts. Until now this should be clear to you.

In order to apply a computer configuration policy, the computer objects need to have "Read" and "Apply Group Policy" permissions on the GPO just like users would need those permissions on "user configuration" GPOs. It's the computer that accesses the GPO in that case. So - when security filtering a computer configuration policy, you'll have to take security groups with computer objects in it to grant access to the GPO.

The whole things worked with "Authenticated Users" because the "Domain Computers" group with all those computer accounts is member of "Authenticated Users".

You basically just need to use computer accounts fpr the GPO filtering rather than user accounts.

cheers,

Florian
--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
.

References:
- Re: Authenticated Users vs. Individual Users - Scope problem
  - From: Florian Frommherz [MVP]

Prev by Date: Applying User Settings to a Computer Object
Next by Date: Re: Applying User Settings to a Computer Object
Previous by thread: Re: Authenticated Users vs. Individual Users - Scope problem
Next by thread: Applying User Settings to a Computer Object
Index(es):
- Date
- Thread

Relevant Pages

RE: Group Policy Connundrum - Stick with it, its confusing!!!
... Configuration object of the GPO (vs. ... Group Policy Connundrum - Stick with it, ... Small Business Server Internet Connection Firewall ...
(Security-Basics)
Re: Set GPO for specific user group
... Click on the domain name in Group Policy Management, select the GPO and then click the arrow to the left to move it to the top of the list ... Filtering: Denied ...
(microsoft.public.windows.server.sbs)
Re: GPO Question
... Group Policy Processing ... As described earlier in this paper, Group Policy is processed in the ... Local Group Policy Object, ... Any domain-based GPO may be enforced by using the Enforce ...
(microsoft.public.win2000.group_policy)
Re: group policy preferences
... Microsoft Windows XP Operating System Group Policy Result tool v2.0 ... GPO: ShockwaveTest ... GPO: Default Domain Policy ...
(microsoft.public.windows.server.active_directory)
Re: Group Policy Downloading unchanged GPOs
... Speed Group Policy Troubleshooting with the NEW GPHealth Reporter tool at http://www.sdmsoftware.com/products.php ... On analysis we understand that if a CSE has multiple GPO's then even if one of the GPO changes, all the GPO's belonging to that CSE gets read. ... words, they are not held in some separate place on the client), then yes, all settings from all 3 GPOs would be read by the client if just one GPO changes. ...
(microsoft.public.win2000.group_policy)