Applying Group Policy to a Security Group

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Can someone please tell me how to get group policy to work with a security user group (or tell me whether one can use GP to work with user groups at all)? Here is what I did to set up things up. In AD I created an OU called Special Users and I dragged the “Special Users� security group from the “Users� folder in AD to this OU. I created a group policy object for this OU. Then I followed these directions on Microsoft’s website with the title “To filter the scope of Group Policy according to security group membership� to try to get the GP to apply towards this “Special Users� group:
1. In the console tree, I right-clicked the icon or name of the Group Policy object, and then clicked Properties.
2. I then clicked the Security tab, and I added the Special Users group.
3. In the Permissions box for the selected security group (in this case the “Special Users�, I selected the “Allow� check box next to “Apply Group Policy� and “Read�. I also cleared the “Allow� check boxes next to “Apply Group Policy� for the “Authenticated Users� group.

I did the above configuration according to the table on this website: http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/proddocs/en-us/Filter.asp

After all of that, I login as a member of the “Special Users� group, but nothing happened. Please note that if I put the users themselves into the OU I had created, everything works like a champ. It is only when I use the security group in the OU that things don’t work as planned.
4 answers Last reply
More about applying group policy security group
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    GPOs only apply to users and computer accounts that are located in the OU
    where the GPO is applied, or a child OU of the OU where the GPO is applied.
    If you apply a GPO to the domain, it will apply to all user accounts or
    computer accounts.

    Now, groups get involved ONLY from a standpoint of controlling the default
    behavior, which is stated above. I can deny a group from applying GPOs, only
    if the user or computer account is in the path of the GPO, as stated above.

    --
    Derek Melber
    BrainCore.Net
    derekm@braincore.net
    "Carl" <anonymous@discussions.microsoft.com> wrote in message
    news:E48EB451-DDEC-416D-8B92-1085F6AC51B8@microsoft.com...
    > Can someone please tell me how to get group policy to work with a security
    user group (or tell me whether one can use GP to work with user groups at
    all)? Here is what I did to set up things up. In AD I created an OU called
    Special Users and I dragged the "Special Users" security group from the
    "Users" folder in AD to this OU. I created a group policy object for this
    OU. Then I followed these directions on Microsoft's website with the title
    "To filter the scope of Group Policy according to security group membership"
    to try to get the GP to apply towards this "Special Users" group:
    > 1. In the console tree, I right-clicked the icon or name of the Group
    Policy object, and then clicked Properties.
    > 2. I then clicked the Security tab, and I added the Special Users
    group.
    > 3. In the Permissions box for the selected security group (in this case
    the "Special Users", I selected the "Allow" check box next to "Apply
    Group Policy" and "Read". I also cleared the "Allow" check boxes next to
    "Apply Group Policy" for the "Authenticated Users" group.
    >
    > I did the above configuration according to the table on this website:
    http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/proddocs/en-us/Filter.asp
    >
    > After all of that, I login as a member of the "Special Users" group, but
    nothing happened. Please note that if I put the users themselves into the
    OU I had created, everything works like a champ. It is only when I use the
    security group in the OU that things don't work as planned.
    >
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Derek,

    So are you saying that you cannot apply a GPO to a "User Group" even if the group has been placed inside of an OU?
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    You got it!

    You can, but NOTHING will happen if the group is the only object in the OU.
    The user and/or computer object MUST be in the OU for GPOs to apply.

    --
    Derek Melber
    BrainCore.Net
    derekm@braincore.net
    "Carl" <anonymous@discussions.microsoft.com> wrote in message
    news:A10E917D-7CD8-435A-B288-5F2942F1F225@microsoft.com...
    > Derek,
    >
    > So are you saying that you cannot apply a GPO to a "User Group" even if
    the group has been placed inside of an OU?
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Carl,

    You are doing everything right to filter the GPO based on group membership.
    You just need to make sure the actual User and/or Computer account (has to
    be the object itself not group) is in the path of the GPO. So, apply the GPO
    that you are mentioning to a level in the hierarchy where a couple of users
    exist. Have one user int he "Special Users" group and the other with no
    specific group membership. This should work out for you.

    Kevin

    "Carl" <anonymous@discussions.microsoft.com> wrote in message
    news:E48EB451-DDEC-416D-8B92-1085F6AC51B8@microsoft.com...
    > Can someone please tell me how to get group policy to work with a security
    user group (or tell me whether one can use GP to work with user groups at
    all)? Here is what I did to set up things up. In AD I created an OU called
    Special Users and I dragged the "Special Users" security group from the
    "Users" folder in AD to this OU. I created a group policy object for this
    OU. Then I followed these directions on Microsoft's website with the title
    "To filter the scope of Group Policy according to security group membership"
    to try to get the GP to apply towards this "Special Users" group:
    > 1. In the console tree, I right-clicked the icon or name of the Group
    Policy object, and then clicked Properties.
    > 2. I then clicked the Security tab, and I added the Special Users
    group.
    > 3. In the Permissions box for the selected security group (in this case
    the "Special Users", I selected the "Allow" check box next to "Apply
    Group Policy" and "Read". I also cleared the "Allow" check boxes next to
    "Apply Group Policy" for the "Authenticated Users" group.
    >
    > I did the above configuration according to the table on this website:
    http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/standard/proddocs/en-us/Filter.asp
    >
    > After all of that, I login as a member of the "Special Users" group, but
    nothing happened. Please note that if I put the users themselves into the
    OU I had created, everything works like a champ. It is only when I use the
    security group in the OU that things don't work as planned.
    >
Ask a new question

Read More

Policy Security Windows