GPO not applied in special security context

  • Thread starter Thread starter Torsten Valentin
  • Start date Start date
T

Torsten Valentin

Hello!
I have to ensure that a GPO is applied to certain hosts only. These host are
to be determined by membership of a group, _ not _ by moving the host out of
"computer" into a different OU.
To achieve this, I bound the GPO ("MyGPO") to the Domain root and modified
the security-settings of that GPO in the following way:
-removed "read" and "apply" from "authenticated users" (did NOT set any deny
flag!)
-added the group "GR test"
-set Security-settings "read" and "apply" to "GR test"

Then I added a number of hosts to group "GR test". However, the problem is,
that the GPO "MyGPO" is not applied to hosts that are members of the group
"GR test" (GPResult says: "Filtering: Refused (security)"). If (in the GPOs
security settings) I delete the group "GR test" again and add the group
"Authenticated users" again (and set read and apply permissions), the GPO is
used properly. Likewise, if I do this with one of the hosts itself that is a
member of the group "GR test". But I cannot get it working by adding a group
to the GPOs security settings.
This is really killing me.
Thanks in advance for any help!
T.
 
Do you have more than one domain?
Do you use domain local groups for security filtering?
Use global groups for GPO security filtering.

--
Dmitry Korolyov
(e-mail address removed)
To e-mail me, remove "nospamformorons"
from the address.


"Torsten Valentin"
 
Do you have more than one domain?
No.
Do you use domain local groups for security filtering?
Use global groups for GPO security filtering.
Click to expand...
I did. But nevertheless I have this problem. Meanwhile I found out that the
problem might lie in that the host does not really become a member of that
group:
In the AD I add the host "foo" to the group "GR test". But when I ran
GPResult on host "foo", the group "GR test" is not listed within the list of
groups, "foo" is a member of. But when I take a look at the DC again, I can
see that host "foo" _IS_ a member of group "GR test". I believe that this
could be the reason for the GPO (with the security settings to apply for
group "GR test") to not be applied.
But how come? What can I do?
 
This has been solved meanwhile. The reason was, that the group had been
created by a VB script with getobject("LDAP://...") and that this group has
not been created properly. I took another function to create the group and
now it works.

T.
 
Back
Top