Windows Server 2008 : Filtering GPOs by Modifying Permissions

12/28/2013 1:54:35 AM

When you create a GPO, two primary permissions are applied to the Authenticated Users group as shown in the following table.

Tip

As soon as a user logs in to the domain, the user account is automatically added to the Authenticated Users group. In other words, all GPOs automatically apply to any user that logs in because the GPOs apply to the Authenticated Users group by default.

Default Permissions for Authenticated Users Group	Comments
Read	Settings in the GPO can be read.
Apply Group Policy	Settings in the GPO are applied.

Figure 1 shows the permissions for a GPO named Deploy Sales Application with the default permissions. When both Read and Apply Group Policy permissions are set to Allow, the policy applies.

Figure 1. Default permissions for a new GPO

Tip

You can filter Group Policy by changing the Apply Group Policy Allow permission to Apply Group Policy Deny for any user or group. For example, if you don’t want the policy to apply to members of the Administrators group, select the group and select Deny for the Apply Group Policy permission.

Figure 2 shows security filtering applied to a GPO. The Apply Group Policy setting is changed to Deny for the IT Admins group. Users in this group still have access to Read and Write (and more), but the policy does not apply to them.

Figure 2. Filtering permissions for a new GPO

Tip

Selecting Deny for the Apply Group Policy permission is also known as security filtering. As long as the permissions applied to the Authenticated Users group is not changed, the GPO will still apply to all other users in the domain.

There is another method of using security filtering to modify the application of a GPO. First, remove the Authenticated Users group. At this point, the GPO won’t apply to anyone. Then add the group that you want the GPO to apply to, and configure the permissions. The following table shows the overall action steps to do this.

Step	Action
1.	Launch the GPMC and browse to the Group Policy.
2.	Select the Delegation tab.
3.	Click Advanced. Select Authenticated Users group, and then click Remove. Note At this point, the GPO does not apply to any users.
4.	Click Add. Enter the name of the group you want the GPO to apply to and click OK.
5.	Allow is already selected for the Read permission. Select Allow for Apply Group Policy. Click OK. Note You might have to scroll down to see Apply Group Policy.

Others

- Windows Server 2008 : Launching the Group Policy Management Console, Understanding Group Policy Order of Precedence

- Windows Server 2008 : Creating and Running a PowerShell Script - Scheduling PowerShell Scripts

- Windows Server 2008 : Creating and Running a PowerShell Script - Running a Script Against Multiple Computers

- Windows Server 2012 : Preparing for deploying domain controllers (part 3) - Existing forest domain controller deployment

- Windows Server 2012 : Preparing for deploying domain controllers (part 2) - New forest domain controller deployment

- Windows Server 2012 : Preparing for deploying domain controllers (part 1) - AD DS deployment scenarios

- Windows Server 2012 : Windows PowerShell automation (part 2) - Disconnected sessions

- Windows Server 2012 : Windows PowerShell automation (part 1) - Background jobs, Scheduled jobs

- Windows 7 : Making and Ending a Dial-Up Connection

- Windows 7 : Configuring a Dial-Up Internet Connection (part 2) - Adjusting Dial-Up Connection Properties