Archived from groups: microsoft.public.win2000.group_policy (
More info?)
Thanks for your responses!
"Darren Mar-Elia" <dmanonymous@discussions.microsoft.com> wrote in message
news:%23$jR4tNnEHA.1296@TK2MSFTNGP09.phx.gbl...
> Awesome response Cary. Very helpful. Thanks for that!
>
> --
> Darren Mar-Elia
> MS-MVP-Windows Server--Group Policy
>
http://www.gpoguy.com
>
>
>
> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> news:OegdbLNnEHA.1296@TK2MSFTNGP09.phx.gbl...
>> Good morning, Darren! Good morning, Matt!
>>
>> Darren, I am going to jump in for a second. Hope that you do not mind.
>> You
>> are definitely the 'gpoguy' ;-)
>>
>> Matt,
>>
>> What Darren is saying is that only the user account objects and the
>> computer
>> account objects that are located in an OU to which the GPO is linked will
>> be
>> affected. What Darren means by filtering via group membership is that,
>> by
>> default, the 'Authenticated Users' security group is granted the READ and
>> APPLY GROUP POLICY rights to the GPO. This means, simplified, that any
>> user
>> account or computer account located in this particular OU that
>> authenticates
>> is going to be able to both read and apply the Group Policies linked to
>> that
>> OU. You can change this, however.
>>
>> Let's say that you have an OU in which there are 55 user account objects.
>> Let's just say that we are going to disable the Display Tab in the
>> Control
>> Panel ( this seems to be a popular example, so let's just go with it ).
>> But - and this is the big part - the CEO and her three Assitants are in
>> this OU -AND- they absolutely must be able to access the Display Tab (
>> the
>> CEO normally likes to use 800x600 but gets really annoyed when she is
>> looking at Excel spreadsheets as 800x600 is too small - so she changes it
>> to
>> 1024x768 ). If you apply this GPO and they are affected she will blow
>> her
>> top and you could be hitting the pavement really soon! So, what are you
>> going to do?
>>
>> Easy! If one does not already exist, create a security group that
>> includes
>> all of the user account objects that are located in this OU -MINUS the
>> CEO
>> and her three Assistants - and add this group to the Security tab on the
>> 'Hide Display' GPO. You would also have to remove the Authenticated
>> Users
>> group. Do not forget to give the group that you created both the READ
>> and
>> APPLY GROUP POLICY rights!
>>
>> Now, if you did not want to create a group with 51 members - creating one
>> with only four members is probably a bit faster, not to mention in this
>> situation it probably already exists! - then you could use the security
>> group that has the CEO and her three Assistants as members and simply add
>> that group to the Security tab of the GPO ( and you would not remove the
>> Authenticated Users in this case ) and give this group an explicit DENY
>> either to READ or to APPLY GROUP POLICY - or both!
>>
>> I hope that this clarifies things even more for you.
>>
>> Cary
>>
>>
>> "Darren Mar-Elia" <dmanonymous@discussions.microsoft.com> wrote in
>> message
>> news:ebbgP7MnEHA.3968@TK2MSFTNGP11.phx.gbl...
>>> Matt-
>>> Only user and computer objects process GPOs. However, you can filter
>>> which
>>> user and computer objects within a scope of management process a GPO
>>> using
>>> security groups. Does that make sense?
>>>
>>> --
>>> Darren Mar-Elia
>>> MS-MVP-Windows Server--Group Policy
>>>
http://www.gpoguy.com
>>>
>>>
>>>
>>> "matt" <mkmitchell@hotmail.com> wrote in message
>>> news:%23oruLLMnEHA.3396@tk2msftngp13.phx.gbl...
>>> > What type of objects do Group Policies get applied to in OUs? Is it
>> just
>>> > user and computer accounts, or do the members of a security group
>> located
>>> > in
>>> > the OU also receive the OU's Group Policies (granted they have access
>>> > permission to the Group Policy Object)?
>>> >
>>> > Emperically, I've found that the answer to my question is members of
>>> > security groups in the OU do not get the Group Policy, but I have not
>>> > found
>>> > this documented.
>>> >
>>> > Thanks in advance for any insight.
>>> >
>>> > Matt
>>> >
>>> >
>>>
>>>
>>
>>
>
>