Security Groups in OUs

[matt]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

What type of objects do Group Policies get applied to in OUs? Is it just
user and computer accounts, or do the members of a security group located in
the OU also receive the OU's Group Policies (granted they have access
permission to the Group Policy Object)?

Emperically, I've found that the answer to my question is members of
security groups in the OU do not get the Group Policy, but I have not found
this documented.

Thanks in advance for any insight.

Matt

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Matt-
Only user and computer objects process GPOs. However, you can filter which
user and computer objects within a scope of management process a GPO using
security groups. Does that make sense?

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
http://www.gpoguy.com



"matt" <mkmitchell@hotmail.com> wrote in message
news:%23oruLLMnEHA.3396@tk2msftngp13.phx.gbl...
> What type of objects do Group Policies get applied to in OUs? Is it just
> user and computer accounts, or do the members of a security group located
> in
> the OU also receive the OU's Group Policies (granted they have access
> permission to the Group Policy Object)?
>
> Emperically, I've found that the answer to my question is members of
> security groups in the OU do not get the Group Policy, but I have not
> found
> this documented.
>
> Thanks in advance for any insight.
>
> Matt
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Good morning, Darren! Good morning, Matt!

Darren, I am going to jump in for a second. Hope that you do not mind. You
are definitely the 'gpoguy' ;-)

Matt,

What Darren is saying is that only the user account objects and the computer
account objects that are located in an OU to which the GPO is linked will be
affected. What Darren means by filtering via group membership is that, by
default, the 'Authenticated Users' security group is granted the READ and
APPLY GROUP POLICY rights to the GPO. This means, simplified, that any user
account or computer account located in this particular OU that authenticates
is going to be able to both read and apply the Group Policies linked to that
OU. You can change this, however.

Let's say that you have an OU in which there are 55 user account objects.
Let's just say that we are going to disable the Display Tab in the Control
Panel ( this seems to be a popular example, so let's just go with it ).
But - and this is the big part - the CEO and her three Assitants are in
this OU -AND- they absolutely must be able to access the Display Tab ( the
CEO normally likes to use 800x600 but gets really annoyed when she is
looking at Excel spreadsheets as 800x600 is too small - so she changes it to
1024x768 ). If you apply this GPO and they are affected she will blow her
top and you could be hitting the pavement really soon! So, what are you
going to do?

Easy! If one does not already exist, create a security group that includes
all of the user account objects that are located in this OU -MINUS the CEO
and her three Assistants - and add this group to the Security tab on the
'Hide Display' GPO. You would also have to remove the Authenticated Users
group. Do not forget to give the group that you created both the READ and
APPLY GROUP POLICY rights!

Now, if you did not want to create a group with 51 members - creating one
with only four members is probably a bit faster, not to mention in this
situation it probably already exists! - then you could use the security
group that has the CEO and her three Assistants as members and simply add
that group to the Security tab of the GPO ( and you would not remove the
Authenticated Users in this case ) and give this group an explicit DENY
either to READ or to APPLY GROUP POLICY - or both!

I hope that this clarifies things even more for you.

Cary


"Darren Mar-Elia" <dmanonymous@discussions.microsoft.com> wrote in message
news:ebbgP7MnEHA.3968@TK2MSFTNGP11.phx.gbl...
> Matt-
> Only user and computer objects process GPOs. However, you can filter which
> user and computer objects within a scope of management process a GPO using
> security groups. Does that make sense?
>
> --
> Darren Mar-Elia
> MS-MVP-Windows Server--Group Policy
> http://www.gpoguy.com
>
>
>
> "matt" <mkmitchell@hotmail.com> wrote in message
> news:%23oruLLMnEHA.3396@tk2msftngp13.phx.gbl...
> > What type of objects do Group Policies get applied to in OUs? Is it
just
> > user and computer accounts, or do the members of a security group
located
> > in
> > the OU also receive the OU's Group Policies (granted they have access
> > permission to the Group Policy Object)?
> >
> > Emperically, I've found that the answer to my question is members of
> > security groups in the OU do not get the Group Policy, but I have not
> > found
> > this documented.
> >
> > Thanks in advance for any insight.
> >
> > Matt
> >
> >
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Awesome response Cary. Very helpful. Thanks for that!

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
http://www.gpoguy.com



"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:OegdbLNnEHA.1296@TK2MSFTNGP09.phx.gbl...
> Good morning, Darren! Good morning, Matt!
>
> Darren, I am going to jump in for a second. Hope that you do not mind.
> You
> are definitely the 'gpoguy' ;-)
>
> Matt,
>
> What Darren is saying is that only the user account objects and the
> computer
> account objects that are located in an OU to which the GPO is linked will
> be
> affected. What Darren means by filtering via group membership is that, by
> default, the 'Authenticated Users' security group is granted the READ and
> APPLY GROUP POLICY rights to the GPO. This means, simplified, that any
> user
> account or computer account located in this particular OU that
> authenticates
> is going to be able to both read and apply the Group Policies linked to
> that
> OU. You can change this, however.
>
> Let's say that you have an OU in which there are 55 user account objects.
> Let's just say that we are going to disable the Display Tab in the Control
> Panel ( this seems to be a popular example, so let's just go with it ).
> But - and this is the big part - the CEO and her three Assitants are in
> this OU -AND- they absolutely must be able to access the Display Tab ( the
> CEO normally likes to use 800x600 but gets really annoyed when she is
> looking at Excel spreadsheets as 800x600 is too small - so she changes it
> to
> 1024x768 ). If you apply this GPO and they are affected she will blow her
> top and you could be hitting the pavement really soon! So, what are you
> going to do?
>
> Easy! If one does not already exist, create a security group that
> includes
> all of the user account objects that are located in this OU -MINUS the CEO
> and her three Assistants - and add this group to the Security tab on the
> 'Hide Display' GPO. You would also have to remove the Authenticated Users
> group. Do not forget to give the group that you created both the READ and
> APPLY GROUP POLICY rights!
>
> Now, if you did not want to create a group with 51 members - creating one
> with only four members is probably a bit faster, not to mention in this
> situation it probably already exists! - then you could use the security
> group that has the CEO and her three Assistants as members and simply add
> that group to the Security tab of the GPO ( and you would not remove the
> Authenticated Users in this case ) and give this group an explicit DENY
> either to READ or to APPLY GROUP POLICY - or both!
>
> I hope that this clarifies things even more for you.
>
> Cary
>
>
> "Darren Mar-Elia" <dmanonymous@discussions.microsoft.com> wrote in message
> news:ebbgP7MnEHA.3968@TK2MSFTNGP11.phx.gbl...
>> Matt-
>> Only user and computer objects process GPOs. However, you can filter
>> which
>> user and computer objects within a scope of management process a GPO
>> using
>> security groups. Does that make sense?
>>
>> --
>> Darren Mar-Elia
>> MS-MVP-Windows Server--Group Policy
>> http://www.gpoguy.com
>>
>>
>>
>> "matt" <mkmitchell@hotmail.com> wrote in message
>> news:%23oruLLMnEHA.3396@tk2msftngp13.phx.gbl...
>> > What type of objects do Group Policies get applied to in OUs? Is it
> just
>> > user and computer accounts, or do the members of a security group
> located
>> > in
>> > the OU also receive the OU's Group Policies (granted they have access
>> > permission to the Group Policy Object)?
>> >
>> > Emperically, I've found that the answer to my question is members of
>> > security groups in the OU do not get the Group Policy, but I have not
>> > found
>> > this documented.
>> >
>> > Thanks in advance for any insight.
>> >
>> > Matt
>> >
>> >
>>
>>
>
>

 

[matt]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks for your responses!

"Darren Mar-Elia" <dmanonymous@discussions.microsoft.com> wrote in message
news:%23$jR4tNnEHA.1296@TK2MSFTNGP09.phx.gbl...
> Awesome response Cary. Very helpful. Thanks for that!
>
> --
> Darren Mar-Elia
> MS-MVP-Windows Server--Group Policy
> http://www.gpoguy.com
>
>
>
> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> news:OegdbLNnEHA.1296@TK2MSFTNGP09.phx.gbl...
>> Good morning, Darren! Good morning, Matt!
>>
>> Darren, I am going to jump in for a second. Hope that you do not mind.
>> You
>> are definitely the 'gpoguy' ;-)
>>
>> Matt,
>>
>> What Darren is saying is that only the user account objects and the
>> computer
>> account objects that are located in an OU to which the GPO is linked will
>> be
>> affected. What Darren means by filtering via group membership is that,
>> by
>> default, the 'Authenticated Users' security group is granted the READ and
>> APPLY GROUP POLICY rights to the GPO. This means, simplified, that any
>> user
>> account or computer account located in this particular OU that
>> authenticates
>> is going to be able to both read and apply the Group Policies linked to
>> that
>> OU. You can change this, however.
>>
>> Let's say that you have an OU in which there are 55 user account objects.
>> Let's just say that we are going to disable the Display Tab in the
>> Control
>> Panel ( this seems to be a popular example, so let's just go with it ).
>> But - and this is the big part - the CEO and her three Assitants are in
>> this OU -AND- they absolutely must be able to access the Display Tab (
>> the
>> CEO normally likes to use 800x600 but gets really annoyed when she is
>> looking at Excel spreadsheets as 800x600 is too small - so she changes it
>> to
>> 1024x768 ). If you apply this GPO and they are affected she will blow
>> her
>> top and you could be hitting the pavement really soon! So, what are you
>> going to do?
>>
>> Easy! If one does not already exist, create a security group that
>> includes
>> all of the user account objects that are located in this OU -MINUS the
>> CEO
>> and her three Assistants - and add this group to the Security tab on the
>> 'Hide Display' GPO. You would also have to remove the Authenticated
>> Users
>> group. Do not forget to give the group that you created both the READ
>> and
>> APPLY GROUP POLICY rights!
>>
>> Now, if you did not want to create a group with 51 members - creating one
>> with only four members is probably a bit faster, not to mention in this
>> situation it probably already exists! - then you could use the security
>> group that has the CEO and her three Assistants as members and simply add
>> that group to the Security tab of the GPO ( and you would not remove the
>> Authenticated Users in this case ) and give this group an explicit DENY
>> either to READ or to APPLY GROUP POLICY - or both!
>>
>> I hope that this clarifies things even more for you.
>>
>> Cary
>>
>>
>> "Darren Mar-Elia" <dmanonymous@discussions.microsoft.com> wrote in
>> message
>> news:ebbgP7MnEHA.3968@TK2MSFTNGP11.phx.gbl...
>>> Matt-
>>> Only user and computer objects process GPOs. However, you can filter
>>> which
>>> user and computer objects within a scope of management process a GPO
>>> using
>>> security groups. Does that make sense?
>>>
>>> --
>>> Darren Mar-Elia
>>> MS-MVP-Windows Server--Group Policy
>>> http://www.gpoguy.com
>>>
>>>
>>>
>>> "matt" <mkmitchell@hotmail.com> wrote in message
>>> news:%23oruLLMnEHA.3396@tk2msftngp13.phx.gbl...
>>> > What type of objects do Group Policies get applied to in OUs? Is it
>> just
>>> > user and computer accounts, or do the members of a security group
>> located
>>> > in
>>> > the OU also receive the OU's Group Policies (granted they have access
>>> > permission to the Group Policy Object)?
>>> >
>>> > Emperically, I've found that the answer to my question is members of
>>> > security groups in the OU do not get the Group Policy, but I have not
>>> > found
>>> > this documented.
>>> >
>>> > Thanks in advance for any insight.
>>> >
>>> > Matt
>>> >
>>> >
>>>
>>>
>>
>>
>
>