Security Filtering for specific "Links" instead of "GPO"

  • Thread starter Thread starter Bruce Sanderson
  • Start date Start date
B

Bruce Sanderson

I have a GPO that uses Security Filtering so that it does not apply to a
particular group of users (Apply Group Policy set to Deny for that
particular security group). The GPO is linked to an OU that has two
subordinate OUs. The settings in the GPO are behaving as intended - the
settings apply to every user except members of the group that has the Deny
setting.

Now, what I would like to do is to change the security group that has the
Apply Group Policy Deny setting for one of the subordinate OUs, but not the
other.

Is there a way to do this without having a second GPO that is identical to
the first except for the difference in the Security Filtering? Or, is there
a different mechanism that can be used to prevent the GPO settings being
applied to particular Security Groups at the subordinate OU level?

The GPO applies User settings. The OU it is linked to has subordinate OUs
that have subsets of Windows 2003 Servers running Terminal Services and
Citrix. A separate GPO, linked to the same OU, enables LoopBack processing
for these OUs, so that the User settings are applied when users logon via
the RDP or ICA client.

The OU hierarchy is:

Terminal Servers - has the LoopBack GPO and the User Settings GPO linked
here
|__Set One - contains the computer accounts for a set of Windows 2003
Servers running Terminal Services for Office etc.
|__Set Two - contains the computer accounts for a set of Windows 2003
Servers running Terminal Services for a custom application

The User settings in the GPO do some "lock down" that we don't want applied
to the administrators; the Security Filtering Deny Apply Group Policy
setting accomplishes this, but we've decided that a different group of
people are to be administrators for each set of servers, thus the question.
 
Settings in the GPO and the ACL for the GPO are not able to be separated for
each link. The link is just a pointer to the GPO. So, you will need to
create two GPOs.
 
Thanks Derek. I suspected as much!

--
Bruce Sanderson MVP

It's perfectly useless to know the right answer to the wrong question.
 
Back
Top