Re: Help with Security Filtering

From: "Herb Martin" <news@xxxxxxxxxxxxxx>
Date: Sat, 23 Jun 2007 17:10:38 -0500

"mschlank" <mschlank@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DEAB416C-D6DF-4AB0-9ECA-C86D614A6031@xxxxxxxxxxxxxxxx

I am a new IT Director at an office with Windows 2003, Active Directory
with
only 40 users. Before I arrived, the consultants that installed the
server
setup "one" main Group Policy (GPO) applied to the main Domain. They
disabled
the "Default Domain" GPO,

Generally a POOR practice.

and created a new Group Policy, which is supposed
to apply to all users and computers. All computers are in an OU. All
users
are in 9 different Security Groups under one main OU. I noticed under
the
Group Policy Management Console, under that GPO, it has a "Security
Filtering" tab with 7 of the Security Groups listed, and NO computers.

What groups? If something like Everyone or Authenticated Users in included
in the access list then everyone (and every computer) is covered.

I don't think the computers are getting the GPO.

Then likely no entry appears for a group that includes them -- as you have
guessed.

If Security Filtering is being used, does that mean that only those users
(in Security Groups) and computers listed in the this "Security Filtering"
are getting the GPO applied. If not computers are listed in the Security
Filtering tab, does that mean they are not getting the GPO.

Yes.

Both READ and APPLY_POLICY are needed for the GPO to apply.

Generally filtering by Permissions is also DISCOURAGE unless it is
necessary.

Try to avoid using it.

I have no faith that your consultants had a clue -- although it is
theoretically
possible they were doing the right thing it is unlikely.

They disabled the Default Policies, added a GPO (perfectly normal), and
then Filtered it, rather than linking the custom policy where they needed it
(OUs etc).

Normally one would leave the Default, add the Custom GPO to certain
OUs and let it override the Default as necessary.

If I take the Security Groups out of the "Security Filtering", would the
GPO
apply to all users and computers.

Make sure you leave READ and APPLY policy for Everyone or Authenticated
Users (although I cannot recall how the GPMC displays this unless it is like
all
the other permission lists in AD.)

--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)

.

Follow-Ups:
- Re: Help with Security Filtering
  - From: mschlank

Prev by Date: Re: Security audit file shows users continually loggin on and off
Next by Date: Re: Help with Security Filtering
Previous by thread: Re: Security audit file shows users continually loggin on and off
Next by thread: Re: Help with Security Filtering
Index(es):
- Date
- Thread

Relevant Pages

Re: Group policy issue
... unfortunately they are people, not computers. ... you will see on unapplied GPO list, but is applied on computers and you ... MCSA Windows 2003 server ... Applied Group Policy Objects ...
(microsoft.public.windows.server.networking)
Re: Installing Service Packs
... NTFS permissions and - in this particular case - Domain Computers Read on ... account objects that need to have SP4 installed into this OU. ... an OU to which a GPO that installs software is linked, ... So, right click the OU, select Properties and go to the Group Policy tab. ...
(microsoft.public.win2000.group_policy)
RE: GPO has no effect
... 298444 A Description of the Group Policy Update Utility ... What is the OU your GPO applied to? ... Directory Users and Computers. ... Microsoft CSS Online Newsgroup Support ...
(microsoft.public.windows.server.sbs)
Re: Group Policy not being applied
... if the gpt.ini file is truly missing from the GPO folder, then I would expect that NO computers would get this GPO applied. ... The reason for suggesting this is that I have yet to see a "policy" folder that does NOT have gpt.ini file, so if it is missing, perhaps the folder somehow got messed up; creating a new GPO should create the required gpt.ini file. ... I've seen sometimes (particularly on some older, slower computers) that GPO processing starts before the DNS client service is fully operational on the client. ... the group policy is not listed under "Applied Group Policy ...
(microsoft.public.windows.group_policy)
Re: Active Directory Folders
... >> I'm certainly not going to discount a book published by Microsoft ... >> replace the computers and users containers created by default and ... Passowords can only be set in a GPO at the ... Laptops ...
(microsoft.public.windows.server.active_directory)