question on default settings and scope

[djc]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

by default the Read and Apply Group Policy permissions are enabled for the
Authenticated Users security principle on new GPOs. And you can filter the
scope by adding/removing users/groups for a GPO using these permissions. My
question is then how do computer-specific GPO settings apply by default?

1) For example, I can set computer-specific settings in the default domain
GPO or a new GPO linked to the domain and they apply to all domain computer
accounts even though nothing is on the Security tab of the GPO properties to
indicate this, right?

2) Whether this is a valid question depends on the answer to number 1 but
I'll ask anyway. I know moving computer accounts into OUs and linking GPOs
to the OUs you can control GPOs. But what about the Read and Apply Group
Policy permissions? Can they be used to further filter scope of GPOs for
computer-specific settings?

any info would be greatly appreciated. Thanks.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

You can filter computer configuration portion of GPO's. Computers are also members of
authenticated users. You would have to add your computers to a global group and give
that global group apply permissions instead of authenticated users. If you run
gpresult on a computer it will list the group membership for the users and
computers. --- Steve


"djc" <noone@nowhere.com> wrote in message
news:uwCr78xmEHA.1656@TK2MSFTNGP09.phx.gbl...
> by default the Read and Apply Group Policy permissions are enabled for the
> Authenticated Users security principle on new GPOs. And you can filter the
> scope by adding/removing users/groups for a GPO using these permissions. My
> question is then how do computer-specific GPO settings apply by default?
>
> 1) For example, I can set computer-specific settings in the default domain
> GPO or a new GPO linked to the domain and they apply to all domain computer
> accounts even though nothing is on the Security tab of the GPO properties to
> indicate this, right?
>
> 2) Whether this is a valid question depends on the answer to number 1 but
> I'll ask anyway. I know moving computer accounts into OUs and linking GPOs
> to the OUs you can control GPOs. But what about the Read and Apply Group
> Policy permissions? Can they be used to further filter scope of GPOs for
> computer-specific settings?
>
> any info would be greatly appreciated. Thanks.
>
>

 

[djc]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thank you!

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:ZRX1d.48935$MQ5.5323@attbi_s52...
> You can filter computer configuration portion of GPO's. Computers are also
members of
> authenticated users. You would have to add your computers to a global
group and give
> that global group apply permissions instead of authenticated users. If you
run
> gpresult on a computer it will list the group membership for the users and
> computers. --- Steve
>
>
> "djc" <noone@nowhere.com> wrote in message
> news:uwCr78xmEHA.1656@TK2MSFTNGP09.phx.gbl...
> > by default the Read and Apply Group Policy permissions are enabled for
the
> > Authenticated Users security principle on new GPOs. And you can filter
the
> > scope by adding/removing users/groups for a GPO using these permissions.
My
> > question is then how do computer-specific GPO settings apply by default?
> >
> > 1) For example, I can set computer-specific settings in the default
domain
> > GPO or a new GPO linked to the domain and they apply to all domain
computer
> > accounts even though nothing is on the Security tab of the GPO
properties to
> > indicate this, right?
> >
> > 2) Whether this is a valid question depends on the answer to number 1
but
> > I'll ask anyway. I know moving computer accounts into OUs and linking
GPOs
> > to the OUs you can control GPOs. But what about the Read and Apply Group
> > Policy permissions? Can they be used to further filter scope of GPOs for
> > computer-specific settings?
> >
> > any info would be greatly appreciated. Thanks.
> >
> >
>
>