Re: Help with Security Filtering

Tech-Archive recommends: Speed Up your PC by fixing your registry

Herb,

Here are my final two questions...as I understand everything so far.
1. In order for the "computers" to receive the GPO, and all computers are
currently in one OU.

What gets added to the Security Tab in the GPO with the Read and
Apply_Policy APPLIED. Do I need to add the OU that they are in? How do
the computer get into the Security Tab? I've never added computers to a
Security Group...only into an OU?

2. Is there a charge if I would call you? I'm sort of on a budget.
If so, how much?
If not, sure, if you could leave your phone number that would be great.

Thanks.


"Herb Martin" wrote:


"mschlank" <mschlank@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:695599A1-2887-4C3C-9C41-28AA1143C449@xxxxxxxxxxxxxxxx
Herb, Thanks.

Can you clarify a few things?
1. What is the difference btn Everyone and Authenticated users?

For something like Applying (filtering) Group Policy nothing important
probably but years ago (circa NT4 SP4 plus or minus an SP or so)
Microsoft realized that Everyone sometimes included UNAUTHENTICATED
users, including hackers who couldn't get authenticated.

So they introducted Authenticated Users and Anonymous as special groups
(should be called dynamic or automatic groups) to separate out these two.

Granting permission to Everyone, could (theoretically) allow people who had
not authenticated to get access.


2. Which Access list am I looking at to see if they are included? Are you
referring to the Properties, Security Tab for the GPO itself.

Yes.

I looked there
a few times, and neither is listed...only the Securty Groups that I found
in
GPMC plus Creator Owner, Domain Admins, Enterprise Admins, Enterprise
Domain
Controllers, System

Those above likely have Full Control (can edit/delete etc the policy.)

Read and Apply_Policy are needed to have it APPLY when linked to the
Computer
or Users OU, Domain, or Site.

3. When you say both READ and APPLY_Policy need to apply, are you
referring
to the same location I just mentioned in #2.

I don't use the GPMC much (for unusual reasons*) but rather purposely avoid
it
for the old interface but I am pretty sure this is the same.

*[ If I install the GPMC, I lose access to the old interface -- as it is a
replacement
rather than a supplement.]

4. Is there a way to see the ACL in the GPO that they are being applied to
the computers, besides just noticing the changes live.

The Security Properties for the GPO is what we are talking about.

5. When you make a setting change in Group Policy, how long is reasonable
amount of time to wait for propogation to occur for user vs computer
setting
changes.

Two answers (and they both count):

1) First replication must occur to all DCs before the entire domain will
be
affected

2) Clients must either Refresh the Policy or Reboot/Re-Logon for it to
affect a specific computer or user.*

* Some policies are applied at refresh and some can only be applied at next
logon/startup

The defaults are about 90 minutes for ordinary computers (but it is plus or
minus 30 minutes to prevent every computer from refreshing at the same
moment)
and about 5 minutes for DCs.

YES. This is extremely frustrating. Not sure whey they didn't just use OU.
I
hate to have to redo all their work now. When I spoke to them, I get the
run-around.

They likely are incompetent then.

GPOs are not HARD but they do take a basic understanding to get right
easily and if one (or they) has that basic understanding then they are VERY
EASY to explain and design.

Call me if you wish -- I will try to help.

--
Herb Martin, MCSE, MVP
http://www.LearnQuick.Com
(phone on web site)



.

Relevant Pages

  • Re: Active Directory Folders
    ... >> I'm certainly not going to discount a book published by Microsoft ... >> replace the computers and users containers created by default and ... Passowords can only be set in a GPO at the ... Laptops ...
    (microsoft.public.windows.server.active_directory)
  • Re: Using loopback and group filtering together
    ... My GPO (Remove Authenticated Users, filtered by My Workstations Group, ... (one can just use Domain Computers as replacement for Authenticated ... When I removed filtering by the group containing the computer objects, ...
    (microsoft.public.windows.group_policy)
  • Re: GPO and computers
    ... Select properties of the GPO and you'll see the Security tab. ... >> Make sure that the computer group that your computers belongs to have ... >>> 3) Moved from Computers to the Site computers OU the 2 test machines ...
    (microsoft.public.windows.server.active_directory)
  • Re: GPO Problems
    ... The computer configuration part belongs to computers and the user configuration part to the user, so depending on the settings you must have the accounts located there. ... If rsop.msc or gpresult /v logged on with a user account doesn't give any output there can be additional problems with GPO applying belomging to DNS confgiruration or slow links between sites. ... Only the password policy an account lockout policy have to bet set on ...
    (microsoft.public.windows.server.active_directory)
  • Re: Group policy to apply only to some workstations
    ... Gregg Hill wrote: ... the GPMC and clicked on SBSComputers, and there are no GPOs linked. ... I guess the next question would be "Why do the computers even need ... GPO) settings from applying to select computers? ...
    (microsoft.public.windows.server.sbs)