AARGH!! win2003 GPO is driving me NUTS!

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi,

I want to implement GPO, but with different policies for different users.
i have of course the default policy and i added a second policy "test"
i did all this in the global domain (right click test.local = domain name
and then group policies).

i made a new security group with that user and his computer
i added that user in the default domain policy ==> security ==> read and
apply gpo deny.

so, when i perform a gpupdate /force, it's not in the gpresult.exe list,
that's okay and i can see like that that the security list is working.

then i go to the security of my test policy, removed "authenticated users"
and added the "test" security list.
do a gpupdate /force , gpresult and nothing happens.
when i do the same with a direct username and computername in the security
tab, it works.

okay, then i added a new OU for testing it in that way, moved a user and his
computer and that worked, move another user and computer and that doesn't
works!

in a book i have "mastering windows server 2003" they say and show that it
is perfectly possible to restrict or allow users in GPO's with security lists
but on google i read the opposite...
so, what is it and why is it not working with me ??


grtz,
Verus
 
it sounds like you need to log the user on and off, then reboot the
computer...

When you added the user and computer to the group, they need to
logon/boot to receive a security token for the group.

The final answer for security group filtering is that it works. You
can specify machines/users that SHOULD and SHOULD NOT get a particular
policy.

For a easier admin experience, consider using GPMC in the future.


lee_mre
 
=?Utf-8?B?dmVydXM=?= said:
Hi,

I want to implement GPO, but with different policies for different
users. i have of course the default policy and i added a second policy
"test" i did all this in the global domain (right click test.local =
domain name and then group policies).

i made a new security group with that user and his computer
i added that user in the default domain policy ==> security ==> read and
apply gpo deny.

so, when i perform a gpupdate /force, it's not in the gpresult.exe list,
that's okay and i can see like that that the security list is working.

then i go to the security of my test policy, removed "authenticated
users" and added the "test" security list.
do a gpupdate /force , gpresult and nothing happens.
when i do the same with a direct username and computername in the
security tab, it works.

okay, then i added a new OU for testing it in that way, moved a user and
his computer and that worked, move another user and computer and that
doesn't works!

in a book i have "mastering windows server 2003" they say and show that
it is perfectly possible to restrict or allow users in GPO's with
security lists but on google i read the opposite...
so, what is it and why is it not working with me ??
Click to expand...

Group policies are applied to OU's and only affect Computer or User objects
within the OU (or a child OU). They are not applied to Security or
Distribution Groups.
Where Groups come into it is for filtering which objects within the OU will
be affected by the Group Policy.

eg You have an OU containing 2 user accounts - A and B.
A is a member of Security Group 1, B is not.

If you apply a group policy to this OU and set the 'Read' and 'apply Group
Policy' permissions for the policy to Everyone, the policy will be applied
to both users.

If you remove the 'Everyone' permissions and add 'Read' and 'Apply Group
Policy' permissions to the group called '1', the policy will only affect
user A. User B will not be affected as they are not a member of the group.
 
Hi,
made a new security group with that user and his computer
i added that user in the default domain policy ==> security ==> read
and
apply gpo deny.
Click to expand...


I am not sure why you would want to mess with setting security groups
when you can just create an OU, put a GPO on it and move the users
into it that you want to apply the policy to. It makes far more sense
and doesn’t mess anything up. Try it that way to see if the policy is
working fine and then try with the security settings again.

Leave the Security Settings on the Default Domain Group Policy alone
though or you could run into problems.

Cheers,

Lara
 
Amen! In my humble opinion, using Security filtering for GPOs should be
used sparingly and only to achieve very narrow objectives, such as not
applying certain user settings to administrators when Loopback processing is
used (e.g. on Terminal Servers).

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.
 
Back
Top