Re: Security Filtering does not work correctly in GPO
- From: Roland Schoen <RolandSchoen@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 31 Jul 2006 07:51:01 -0700
Hi Paul,
you mean, that i should add the admin to the GPO and set a deny on the
administrator object for this GPO.
I have learnd that you sould be careful with deny permissions. Normally you
sould not add a specific object to something, what the object should not do,
or would be applied on the object.
here is a quick schema, how the AD structure looks like...
/[mydomain.com]
|
|>>User Group Policy [Linked GPO with security filter on the Group "User
Group"]
|
+-domain conrollers [inheritance allowed]
|
|
+-OU-Server [inheritance allowed]
| |
| |
| +-Memberserver [computer object]
|
|
+-Users [Contaier Object]
|
|
+-Administrator [User Object]
But today i tried another thing. I deleted the domain admin profile on the
Memberserver, where the domain admin was logged on. After a new logon, with
a new crated profile, the settings in the "User Group Policy" were gone.
I will now keep track on it, if the administrator receices the settings again.
regards
Roland
"Paul Bergson" wrote:
I am not sure how you set this up but set the doman admin to deny on apply.
policy, this should prevent it from being applied.
--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Roli79" <Roli79@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5A066C08-E098-4BD7-A889-B42C6C08ADB1@xxxxxxxxxxxxxxxx
Hello there,
i have depoyed the following scenario in my environment.
- I created a Group Policy Object with GPMC SP1 on my W2k3 Server (DC)
- Also i supplied this GPO with a Security Filter so that the settings
just
have
affect to a specific Group. (Group Type: Security Group - Global)
- In this Policy, there are just user settings configured.
- I linked this GOP on the top level in my Active Directory domain,
because
i have
multiple users in different OU's wich belong to the Group, wich is
definded in the
"Scope-Setting" in the Group Policy object. The domain administrator does
not
belong to this group.
As i run the Group Policy result Wizard, a few days later, on a certain
machine, where the domain admin was logged on, i found in the result set,
that GPO with the
Security Scope on the specific group, has applied on the administrator!
How coult this happened. I am a little bit helpless now, because of my
logical understandig. The domain admin shouln't receive this settings.
Normally it sould
only take affect on the adjusted group in the Secuirty Filtering box.
thanks for your help
Roland
- Follow-Ups:
- Re: Security Filtering does not work correctly in GPO
- From: Paul Bergson
- Re: Security Filtering does not work correctly in GPO
- References:
- Re: Security Filtering does not work correctly in GPO
- From: Paul Bergson
- Re: Security Filtering does not work correctly in GPO
- Prev by Date: Re: Security Filtering does not work correctly in GPO
- Next by Date: DNS Policy
- Previous by thread: Re: Security Filtering does not work correctly in GPO
- Next by thread: Re: Security Filtering does not work correctly in GPO
- Index(es):
Relevant Pages
|
