Paul Adare said:
microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=
<
[email protected]> says...
So you're going to explain to me how Group Policy works now? Ok.
Listen I am not trying to pick a fight here.
Let's start with getting some basic terminology sorted out:
You never create a Policy, you create a Group Policy Object, and that
GPO will contain various settings.
When I say Policy, I mean it in a broad sense, I am referring to the GPO,
which as you admitted defaults to "apply" to the Authenticated Users. Based
on what I am seeing, you can perform Filtering by removing the Authenticated
Users from the list, and assign a specific "group" that you would like to
apply the "policy" (GPO containing the set of templates in which settings
have been made) to.
The default DACL on a GPO do in fact include Authenticated Users with
Read and Apply, correct.
One cannot be a member of a GPO.
When I say add a desired group to a GPO, the above was what I was referring
to, I think if you attempt to read to much into the terminology, you miss the
basics of what I am asking, that was why I posted the question in the first
place. Realizing of course that if I add a group, users whatever to the
Security of the GPO to APPLY (better verbiage?), then in any place that I
apply that GPO to an OU, then the groups and users will specifically get the
"settings" contained in that GPO (or as I like to say the policy). A good
example, might be to publish the Active Directory Admin Tools to your admins,
you create a Domain Policy (GPO) and then remove the Authenticated Users, but
add only your Admins to apply the policy to, so that the Published Software
is installed.
Correct, assuming of course the the GPO is linked somewhere that the
user or computer will even be able to process it in the first place.
For example, if you have OUA and OUB, both at the same level in the
domain, and you have userB in OUB. You create a GPO and set the
permissions on the GPO such that userB has Read and Apply permissions,
it won't matter how often you log on with the userB account, nor what
the permissions are on the GPO, userB will never process the GPO. Taking
So is the GPO just created on the Group Policy tab of the OUB? If it is, I
would disagree that it would not work. A good example of this might be a
custom desktop picture. Globally for the domain you lock down any changes to
the display, and background. But on an OU level you create a GPO called
"userB" make userB the only user that the GPO is Applied to. In the Desktop,
you define a custom desktop picture, and path. I do this now, who gets the
picture? Only userB, even though in the OU there are lots of other users. So
I must be mis-understanding what you are saying above.
this one step further, you create a group in OUA and make userB a member
of that group, and change the permissions on the GPO linked to OUA such
that the group in OUA that has userB as a member has Read and Apply
permission, that GPO will _still never_ be processed by userB.
I understand what you are saying here, since a user can only be a member of
1 OU, the GPO can only be applied to that OU in which the user would be a
member of. BUT, in my model I am not creating Groups that spread across
OU's. In OUA, I would have a GROUP called OUAUsers in which I would add all
of the users in that OU to that group, that I would want applied. In OUB, I
have another group called OUBUsers with all of those users from that OU in
it. I create a GPO that has both of those Groups as part of the Apply rather
than the Authenticated Users by default, I also Deny the GPO to the Domain
Admins and Enterprise Admins for Apply but leave the read write change the
same. I apply the GPO to both OUs (OUA and OUB) Now suppose I want to add a
user to OUA, but not have that GPO apply to them. Poof, already done, even
though they are a member of that OU, I bypass them in the application of the
GPO, because I did not make them a member of the OUAUsers or OUBUsers to whom
the GPO is being applied. An example might be someone who is part of that
OU, who has Admin rights whereby you might not want to lock them down, but
keep them part of that OU for organizational reasons.
Once again, you do not assign a GPO to a group. You can certainly use
the DACLs on a GPO to filter which users and computers the GPO will be
processed by, but only if that GPO is linked in the directory in a
location that the user or computer account would process the GPO in the
first place.
Don't get caught up on semantics...I think you understood what I was
attempting to say. Filter is the correct word, you are right.
Sorry sport, but the Group part of Group Policy has nothing to do with
groups that contain user or computer accounts. Its name arises from the
fact that you can GROUP policy settings into objects known as Group
Policy Objects.
By the way, you never answered my original question, rather you attacked how
YOU might have done something or how you thought it should have been done.
Paul Adare said:
microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=
<
[email protected]> says...
Thanks, so barring adding each computer to the policy where I think a user
might log into, would this work: Adding the Computers to the Groups in which
the policy is applied to.
Group Policy I s not applied to groups, you have a fundamental
misunderstanding on how Group Policy works.
So that an OU called "Shipping Department" has a
group assigned to it called "Shipping". Members of the Shipping group are
user1 and user2. A policy is created with Permissions to apply a Trusted
Root Certificate to the Shipping Group,
As above, this isn't the way Group Policy works.
which would install the certificate I
want but only for those particular users. Am I correct in saying that I
should just add the computers that are physically located in the Shipping
Department to the group Shipping, so that all Computer Policies are applied
to the machine?
The GPOs that are applied to a user or computer have nothing to do with
the group membership of that user or computer (except that you can
control whether or not a GPO can be processed through the use of ACLs on
the GPOs). The location of the user or computer account in the directory
determines which GPOs will be processed.
I kind of thought that the computer policies would apply to the computer
that a particular user logged into, not the a specific computer? Can we
verify this? That link that I included for accomplishing these steps, said
nothing about adding specific users, in fact it was a Default Domain Policy?
The Default Domain Policy, being at the highest level in the domain
tree, will be processed by all users and computers in the domain.
In your case, you need to examine the OUs that contain the computer
accounts of the computers that these users will be using, and then use a
GPO that is high enough in the domain tree to be processed by these
computers.
You should read up on Group Policy. There is a lot of good information
on how this works on the Microsoft web site.
--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)
--
Paul Adare
"On two occasions, I have been asked [by members of Parliament],
'Pray, Mr. Babbage, if you put into the machine wrong figures,
will the right answers come out?' I am not able to rightly apprehend
the kind of confusion of ideas that could provoke such a question."
-- Charles Babbage (1791-1871)
