Re: Security Filtering does not work correctly in GPO

---

• From: "Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx>
• Date: Mon, 31 Jul 2006 07:58:39 -0500

---

I am not sure how you set this up but set the doman admin to deny on apply
policy, this should prevent it from being applied.

--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup

This posting is provided "AS IS" with no warranties, and confers no rights.

"Roli79" <Roli79@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5A066C08-E098-4BD7-A889-B42C6C08ADB1@xxxxxxxxxxxxxxxx

Hello there,

i have depoyed the following scenario in my environment.

- I created a Group Policy Object with GPMC SP1 on my W2k3 Server (DC)
- Also i supplied this GPO with a Security Filter so that the settings
just
have
affect to a specific Group. (Group Type: Security Group - Global)

- In this Policy, there are just user settings configured.

- I linked this GOP on the top level in my Active Directory domain,
because
i have
multiple users in different OU's wich belong to the Group, wich is
definded in the
"Scope-Setting" in the Group Policy object. The domain administrator does
not
belong to this group.

As i run the Group Policy result Wizard, a few days later, on a certain
machine, where the domain admin was logged on, i found in the result set,
that GPO with the
Security Scope on the specific group, has applied on the administrator!

How coult this happened. I am a little bit helpless now, because of my
logical understandig. The domain admin shouln't receive this settings.
Normally it sould
only take affect on the adjusted group in the Secuirty Filtering box.

thanks for your help
Roland

.

---

• Follow-Ups:
  • Re: Security Filtering does not work correctly in GPO
    • From: Roland Schoen

• Prev by Date: Re: AD Connector
• Next by Date: Re: Security Filtering does not work correctly in GPO
• Previous by thread: Re: AD Connector
• Next by thread: Re: Security Filtering does not work correctly in GPO
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Group Policy for hardened PCs ... These automatically pick up the default domain policy. ... Now when I log in as ANYBODY on the development PC [even a Domain Admin], ... the user settings for THAT PC apply. ... So, even though the Developers are admins on the local machines, because ... (microsoft.public.windows.group_policy) Re: Securing Enterprise Policy from local admins ... > Admin is admin. ... >> All the .NET Framework security policy docs on the website speak to the ... >> has full control of the security settings through the machine policy. ... >> enterprise policy is intended to be managed at the enterprise and is why ... (microsoft.public.dotnet.security) Re: Group Policy question ... They best are to create two or more GPOs then. ... Common Policy Setting ... > I agree with admin settings in part. ... (microsoft.public.win2000.active_directory) . ... Many thanks for your replies, ... if a user is a Domain Admin do they get the policy settings applied as per a ... I have assigned a group to a policy and changed some settings ... (microsoft.public.windows.group_policy) Re: overcoming system admin ... If you are on a domain, then the Domain admin will have set up a policy ... If you are on a stand-alone machine, ... (microsoft.public.windowsxp.general)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2006-08