Re: Security Filtering does not work correctly in GPO

Hello,

yes the Authenticated Users are removed, it's just the specific user group
in the security filter adjusted.

And the domain admin is NOT a member of this group. The AD structure looks
like the following schema:

/[mydomain.com]
|
|>>User Group Policy [Linked GPO with security filter on the Group "User
Group"]
|
+-domain conrollers [inheritance allowed]
|
|
+-OU-Server [inheritance allowed]
| |
| |
| +-Memberserver [computer object]
|
|
+-Users [Contaier Object]
|
|
+-Administrator [User Object]

The policy is linked on the top of my domain. And i was logged on at the
Memberserver as domain administrator. I detected that the Policy for the
"User Group" has applied to the administrator, because i could not open any
MMC's anymore :-)

But today i tried another thing. I deleted the domain admin profile on the
Memberserver, where the domain admin was logged on. After a new logon, with
a new crated profile, the settings in the "User Group Policy" were gone.

A very curious thing

"Jorge Silva" wrote:

Hi

Did you removed the Authenticated Users from apply GPO

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator

"Roli79" <Roli79@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5A066C08-E098-4BD7-A889-B42C6C08ADB1@xxxxxxxxxxxxxxxx
Hello there,

i have depoyed the following scenario in my environment.

- I created a Group Policy Object with GPMC SP1 on my W2k3 Server (DC)
- Also i supplied this GPO with a Security Filter so that the settings
just
have
affect to a specific Group. (Group Type: Security Group - Global)

- In this Policy, there are just user settings configured.

- I linked this GOP on the top level in my Active Directory domain,
because
i have
multiple users in different OU's wich belong to the Group, wich is
definded in the
"Scope-Setting" in the Group Policy object. The domain administrator does
not
belong to this group.

As i run the Group Policy result Wizard, a few days later, on a certain
machine, where the domain admin was logged on, i found in the result set,
that GPO with the
Security Scope on the specific group, has applied on the administrator!

How coult this happened. I am a little bit helpless now, because of my
logical understandig. The domain admin shouln't receive this settings.
Normally it sould
only take affect on the adjusted group in the Secuirty Filtering box.

thanks for your help
Roland



.

Relevant Pages

  • Re: Security Treats
    ... imagine that a malicious user wants to gain domain admin access. ... the administrator unwittingly gives away ... If you have group policy, ... Make sure your workstation accounts reside in an OU (rather than the default ...
    (microsoft.public.win2000.security)
  • Re: Security Filtering does not work correctly in GPO
    ... Did you removed the Authenticated Users from apply GPO ... Systems Administrator ... "Scope-Setting" in the Group Policy object. ... The domain admin shouln't receive this settings. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Security Treats
    ... imagine that a malicious user wants to gain domain admin access. ... > somebody logs in and then persuade an administrator to come over and fix ... If you have group policy, ... > workstation admin accounts and place them in the group. ...
    (microsoft.public.win2000.security)
  • Re: Security Treats
    ... When I said "Make sure your workstation accounts reside in an OU", ... imagine that a malicious user wants to gain domain admin access. ... > somebody logs in and then persuade an administrator to come over and fix ... If you have group policy, ...
    (microsoft.public.win2000.security)
  • Re: Applications/programs that require admin rights
    ... Updates to Restricted Groups ("Member of") behavior of user-defined local ... Systems Administrator ... you need to be Domain Admin to install software on a ... or use the runas command to install the app on ...
    (microsoft.public.windows.server.active_directory)
Loading