Linking a GP to a Global Secuity Group

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I would like someone to tell me if this should work or is it just theory. I
should be able to create a global policy and link it to a group of users
instead of having many OU's with the users in. That is something that I have
been trying to do and have read that you can create a GP link it to a group
of users my removing authenticated users from the security properties and
applying Read and Apply Group Policy directly to the group instead. This has
not worked for me. I have had both computer and user settings set in the GP
and just user settings. To me it would make organizing AD a lot better for
the ability to do this alot less frustrating.

Please tell me how it is, I know AD but this is one thing that has always
thrown a loop for my thinking and planning.

Thanks
 
"=?Utf-8?B?RXJpYyBIaWxkZWJyYW5kdA==?="
I would like someone to tell me if this should work or is it just
theory. I should be able to create a global policy and link it to a
group of users instead of having many OU's with the users in. That is
something that I have been trying to do and have read that you can
create a GP link it to a group of users my removing authenticated users
from the security properties and applying Read and Apply Group Policy
directly to the group instead. This has not worked for me. I have had
both computer and user settings set in the GP and just user settings.
To me it would make organizing AD a lot better for the ability to do
this alot less frustrating.

Please tell me how it is, I know AD but this is one thing that has
always thrown a loop for my thinking and planning.
Click to expand...

From http://www.gpanswers.com/faq/

"I created group, added users to it, put the group in an OU and assigned a
policy to it, but the policy didn't apply. Why not?

Group Policy, amazingly, doesn’t apply to security groups. It applies only to
the user or computer accounts in the Site, Domain or OU. So, you’ll need to
move the user’s account into the OU where the GPO is linked. "
 
The design is that GPOs apply to the user or computer accounts (objects)
that are in the OU the GPO is linked to and to the same type of objects in
child OUs (GPO inheritance).

Security Groups are not things to which GPOs can be applied (linked).

To receive the settings in a GPO, the user or computer must have the "Apply
Group Policy" permission for that GPO. As with folders, OUs etc.
permissions can be assigned by security groups. This means that you can
prevent a GPO from applying to a set of users that are members of a Group by
turning on "Deny" for the "Apply Group Policy" permission.

The default for a new GPO is that every user gets "Allow" for the "Apply
Group Policy" permission, so a GPO, by default applies to every user account
in every OU to which the GPO is linked and each sub OU under those OUs.

So, if you want a GPO to apply to all users except the members of a Security
Group, link the GPO to an OU at an appropriately high level in the OU
hierarchy, then, use the "Advanced" button on the GPMC Delegation tab to
apply "Deny" "Apply Group Policy" to that Security Group.

This is commonly done, for example, to prevent user specific settings from
applying to administrators when they logon at a Terminal Server.

A lot of posters in this and other newsgroups appear to want the design
changed so that a GPO can be "linked" to a Security Group with the objective
of having the GPO apply to all of the members of that Group. You are
certainly welcome to propose such a design change to Microsoft if you want
(http://register.microsoft.com/mswis...=/isapi/gomscom.asp?target=/mswish/thanks.htm).
However, I'm not sure that such a change would make sense. A user can be a
member of multiple groups and figuring out whether a particular GPO
should/will be applied to a particular user could be difficult or ambiguous.
For example, if one group has "Allow" for a GPO and another doesn't and the
user account is member of both, should the GPO be applied or not?

--
Bruce Sanderson MVP Printing
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.
 
Back
Top