IT tutorials
 
Technology
 

Active Directory 2008 : Managing Group Policy Scope (part 2) - Using Security Filtering to Modify GPO Scope

8/25/2013 11:51:38 AM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

3. Using Security Filtering to Modify GPO Scope

By now, you’ve learned that you can link a GPO to a site, domain, or OU. However, you might need to apply GPOs only to certain groups of users or computers rather than to all users or computers within the scope of the GPO. Although you cannot directly link a GPO to a security group, there is a way to apply GPOs to specific security groups. The policies in a GPO apply only to users who have Allow Read and Allow Apply Group Policy permissions to the GPO.

Each GPO has an access control list (ACL) that defines permissions to the GPO. Two permissions, Allow Read and Allow Apply Group Policy, are required for a GPO to apply to a user or computer. If a GPO is scoped to a computer (for example, by its link to the computer’s OU), but the computer does not have Read and Apply Group Policy permissions, it will not download and apply the GPO. Therefore, by setting the appropriate permissions for security groups, you can filter a GPO so that its settings apply only to the computers and users you specify.

By default, Authenticated Users are given the Allow Apply Group Policy permission on each new GPO. This means that by default, all users and computers are affected by the GPOs set for their domain, site, or OU, regardless of the other groups in which they might be members. Therefore, there are two ways of filtering GPO scope:

  • Remove the Apply Group Policy permission (currently set to Allow) for the Authenticated Users group, but do not set this permission to Deny. Then determine the groups to which the GPO should be applied and set the Read and Apply Group Policy permissions for these groups to Allow.

  • Determine the groups to which the GPO should not be applied and set the Apply Group Policy permission for these groups to Deny. If you deny the Apply Group Policy permission to a GPO, the user or computer will not apply settings in the GPO, even if the user or computer is a member of another group that is allowed the Apply Group Policy Permission.

Filtering a GPO to Apply to Specific Groups

To apply a GPO to a specific security group, perform the following steps:

  1. Select the GPO in the Group Policy Objects container in the console tree.

  2. In the Security Filtering section, select the Authenticated Users group and click Remove.

  3. Click OK to confirm the change.

  4. Click Add.

  5. Select the group to which you want the policy to apply and click OK.

Note

USE GLOBAL SECURITY GROUPS TO FILTER GPOs

GPOs can be filtered only with global security groups—not with domain local security groups.

The result will look similar to Figure 8—the Authenticated Users group is not listed, and the specific group to which the policy should apply is listed.

Security filtering of a GPO

Figure 8. Security filtering of a GPO

Filtering a GPO to Exclude Specific Groups

Unfortunately, the Scope tab of a GPO does not allow you to exclude specific groups. To exclude a group—that is, to deny the Apply Group Policy permission—you must click the Delegation tab.

To deny a group the Apply Group Policy permission:

  1. Select the GPO in the Group Policy Objects container in the console tree.

  2. Click the Delegation tab.

  3. Click Advanced.

    The Security Settings dialog box appears.

  4. Click Add.

  5. Select the group you want to exclude from the GPO. Remember, it must be a global group. GPO scope cannot be filtered by domain local groups.

  6. Click OK.

    The group you selected is given the Allow Read permission by default.

  7. Clear the Allow check box next to Read.

  8. Select the Deny check box next to Apply Group Policy.

    Figure 9 shows an example that denies the Help Desk group the Apply Group Policy permission and, therefore, excludes the group from the scope of the GPO.

    Excluding a group from the scope of a GPO with the Deny Apply Group Policy permission

    Figure 9. Excluding a group from the scope of a GPO with the Deny Apply Group Policy permission

  9. Click OK.

    You are warned that Deny permissions override other permissions.

    Because Deny permissions override Allow permissions, it is recommended that you use Deny permissions sparingly. Microsoft Windows reminds you of this best practice with the warning message. Excluding groups with the Deny Apply Group Policy permission is more difficult to manage than including groups in the Security Filtering section of the Scope tab.

  10. Confirm that you want to continue.

Note

DENY PERMISSIONS ARE NOT EXPOSED ON THE SCOPE TAB

Unfortunately, when you exclude a group, the exclusion is not shown in the Security Filtering section of the Scope tab. This is yet one more reason to use Deny permissions sparingly.
 
Others
 
- Active Directory 2008 : Managing Group Policy Scope (part 1) - GPO Links, GPO Inheritance and Precedence
- Microsoft Lync Server 2010 : Enterprise Voice - Voice Routing (part 3) - Translation Rules, Export and Import Voice Configuration
- Microsoft Lync Server 2010 : Enterprise Voice - Voice Routing (part 2) - Routes, PSTN Usages, Trunk Configuration
- Microsoft Lync Server 2010 : Enterprise Voice - Voice Routing (part 1) - Dial Plan, Normalization Rules, Voice Policies
- Microsoft Lync Server 2010 : Enterprise Voice - Mediation Server Installation (part 2) - Install Server
- Microsoft Lync Server 2010 : Enterprise Voice - Mediation Server Installation (part 1) - Prerequisites
- Microsoft Lync Server 2010 : Enterprise Voice - Mediation Server Overview
- Exchange Server 2010 : Compliance and Governance
- Exchange Server 2010 : Storage Availability - Direct Attached Storage, Storage Area Networks
- Exchange Server 2010 : A Closer Look at Availability - Service Availability, Network Availability, Data Availability
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us