Re: Security Filtering does not work correctly in GPO
- From: "Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx>
- Date: Mon, 31 Jul 2006 10:42:19 -0500
Deny apply only.
--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Roland Schoen" <RolandSchoen@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E29EBE1D-D585-443F-AC9A-F52A3C109848@xxxxxxxxxxxxxxxx
Hi Paul,
you mean, that i should add the admin to the GPO and set a deny on the
administrator object for this GPO.
I have learnd that you sould be careful with deny permissions. Normally
you
sould not add a specific object to something, what the object should not
do,
or would be applied on the object.
here is a quick schema, how the AD structure looks like...
/[mydomain.com]
|
|>>User Group Policy [Linked GPO with security filter on the Group "User
Group"]
|
+-domain conrollers [inheritance allowed]
|
|
+-OU-Server [inheritance allowed]
| |
| |
| +-Memberserver [computer object]
|
|
+-Users [Contaier Object]
|
|
+-Administrator [User Object]
But today i tried another thing. I deleted the domain admin profile on the
Memberserver, where the domain admin was logged on. After a new logon,
with
a new crated profile, the settings in the "User Group Policy" were gone.
I will now keep track on it, if the administrator receices the settings
again.
regards
Roland
"Paul Bergson" wrote:
I am not sure how you set this up but set the doman admin to deny on
apply
policy, this should prevent it from being applied.
--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Roli79" <Roli79@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5A066C08-E098-4BD7-A889-B42C6C08ADB1@xxxxxxxxxxxxxxxx
Hello there,
i have depoyed the following scenario in my environment.
- I created a Group Policy Object with GPMC SP1 on my W2k3 Server (DC)
- Also i supplied this GPO with a Security Filter so that the settings
just
have
affect to a specific Group. (Group Type: Security Group - Global)
- In this Policy, there are just user settings configured.
- I linked this GOP on the top level in my Active Directory domain,
because
i have
multiple users in different OU's wich belong to the Group, wich is
definded in the
"Scope-Setting" in the Group Policy object. The domain administrator
does
not
belong to this group.
As i run the Group Policy result Wizard, a few days later, on a certain
machine, where the domain admin was logged on, i found in the result
set,
that GPO with the
Security Scope on the specific group, has applied on the administrator!
How coult this happened. I am a little bit helpless now, because of my
logical understandig. The domain admin shouln't receive this settings.
Normally it sould
only take affect on the adjusted group in the Secuirty Filtering box.
thanks for your help
Roland
.
- References:
- Re: Security Filtering does not work correctly in GPO
- From: Paul Bergson
- Re: Security Filtering does not work correctly in GPO
- From: Roland Schoen
- Re: Security Filtering does not work correctly in GPO
- Prev by Date: Re: ADAM best practice: password policy - OU/Domain and special accounts?
- Next by Date: Re: gpt.ini file
- Previous by thread: Re: Security Filtering does not work correctly in GPO
- Next by thread: Re: Security Filtering does not work correctly in GPO
- Index(es):
Relevant Pages
|
Loading
