|
Home > Archive > 70-217 > October 2003 > Gpo.......?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| adam salam 2003-10-05, 10:57 am |
| Hi everybody 
When I want to apply a GPO for specific Users in my home lab, usually what I am doing is to create an OU, create a new group in that OU, and add the specified Users to that group then configure my GPO linked to that OU.
That means the specified Users still contained in the Default Users container.
The problem is that if I didn’t Move the specified Users from the Default Users container to that OU the GPO won’t take effect.
When I use Move command, the GPO working properly.
Is that the correct way for doing that?
Any help will be greatly appreciated | |
| sara_a 2003-10-05, 11:27 am |
| Hi Adam,
I'm not sure, but I think that GPOs are not applied to security groups. The OU must contain the users, and not a security group that contains those users. | |
| adam salam 2003-10-05, 2:37 pm |
| quote:
Originally posted by sara_a
Hi Adam,
I'm not sure, but I think that GPOs are not applied to security groups. The OU must contain the users, and not a security group that contains those users.
Thanks Sara
By default, the new created group will be a Global-Security group, and this is not the problem in-my case, is really a Security group and not a Distribution group though
So lets looking for another reason | |
| curiousgeorge 2003-10-06, 5:19 pm |
| Adam,
This is from M$
GPO's
The important note is
NOTE: GPOs are applied only to sites, domains, and organizational units. Group Policy settings affect only the users and the computers that they contain. Specifically, GPOs are not applied to security groups.
Great to see you testing all of this out in your lab! Great job! | |
| adam salam 2003-10-07, 5:47 am |
| quote:
Originally posted by curiousgeorge
Adam,
This is from M$
GPO's
The important note is
NOTE: GPOs are applied only to sites, domains, and organizational units. Group Policy settings affect only the users and the computers that they contain. Specifically, GPOs are not applied to security groups.
Great to see you testing all of this out in your lab! Great job!
Yes, if you read my first post:
create an OU, create a new group in that OU, and add the specified Users (that pre-created-from Users Container) to that group then configure my GPO linked to that OU.
But, What they mean by “Specifically, GPOs are not applied to security groups”.
That confused me, I can’t apply GPO to Distribution groups, GPO can be applied to Security groups only
the problem with me is as following:
If I didn’t Move the specified Users from the Default Users container to that OU the GPO won’t take effect.
When I use Move command, the GPO working properly.
Is that the correct way for doing that?
by another meaning:
When I want to apply a GPO for specific Users:
create an OU, create a new Security- Global in that OU, and make the specified Users Members of that group then configure my GPO linked to that OU, that didn’t work for me, but when I MOVE the Specified users to that OU the GPO Works fine!!!
any suggestion, Thanks | |
| adam salam 2003-10-07, 7:42 am |
| As that MS web site says, “Specifically, GPOs are not applied to security groups”, Lets tell you what I have done:
From my study of w2k AD there are only two types of groups, Security Groups and Distribution Groups, as I know; No Permissions can be configured for Distribution Groups, Only Security Groups can grant Permissions.
But that sentence from MS “Specifically, GPOs are not applied to security groups”, confused me so I decided to walk through the mud !!! – only to understand what MS means- Sorry cause English ??? by creating a Distribution group and add Users to it, apply GPO, Off course the GPO didn’t take effect, So what could MS means by that sentence? | |
| jeff_j_black 2003-10-07, 6:13 pm |
| Remember LSDOU? GPO can be applied to Local machine; Site; Domain; or OU.
Within that OU, for the GPO to apply, the OU must contain individual users, the GPO assigned to that OU will not apply to groups of any type within the OU, only users within the OU. | |
| adam salam 2003-10-08, 4:08 am |
| quote:
Originally posted by jeff_j_black
Remember LSDOU? GPO can be applied to Local machine; Site; Domain; or OU.
Within that OU, for the GPO to apply, the OU must contain individual users, the GPO assigned to that OU will not apply to groups of any type within the OU, only users within the OU.
Great, Great, Great....
That's the problem exactly 
I was think I have to create a security group in the OU in question and add the specified users to that group and configure my GPO linked to that OU, but the only way I could do to make the GPO effective is to MOVE Users fro Users container to that OU or To Create them in that OU.
So what's the reason to create a Group in that OU and adding Users to it?
---------------
Another question is : What could MS mean by “Specifically, GPOs are not applied to security groups”
---------------
the only Group type I can grant permissions to is the Security Groups, so why MS says that? | |
| adam salam 2003-10-08, 4:18 am |
| quote:
Originally posted by adam salam
Great, Great, Great....
That's the problem exactly
I was think I have to create a security group in the OU in question and add the specified users to that group and configure my GPO linked to that OU, but the only way I could do to make the GPO effective is to MOVE Users fro Users container to that OU or To Create them in that OU.
So what's the reason to create a Group in that OU and adding Users to it?
-----------
Another question is : What could MS mean by “Specifically, GPOs are not applied to security groups”
-----------
The only Group type I can grant permissions to is the Security Groups
| |
| sara_a 2003-10-08, 6:07 am |
| Ok, I think I know what you mean. Sorry for my english, I'll try to explain myself.
1. As you said, you can only use security groups to grant permissions.
2. GPO only apply to local machine, site, domain or OU, and specifically not to security groups.
I think that here, you are mixing, to grant permissions and to apply a GPO.It is not the same to grant permissions to printers, files, folders, etc... than to apply a GPO with specific characteristics or whatever...
On one hand you have the possibility to grant permissions to users, for that you use security groups, and on the other hand you can build a GPO to apply it to users or machines, which must be contained in the site, domain or OU to which you link this GPO.
I don't know if I have explained it well, in spanish I could do it better, I think ;-) | |
| adam salam 2003-10-08, 6:57 am |
| quote:
Originally posted by sara_a
Ok, I think I know what you mean. Sorry for my english, I'll try to explain myself.
1. As you said, you can only use security groups to grant permissions.
2. GPO only apply to local machine, site, domain or OU, and specifically not to security groups.
I think that here, you are mixing, to grant permissions and to apply a GPO.It is not the same to grant permissions to printers, files, folders, etc... than to apply a GPO with specific characteristics or whatever...
On one hand you have the possibility to grant permissions to users, for that you use security groups, and on the other hand you can build a GPO to apply it to users or machines, which must be contained in the site, domain or OU to which you link this GPO.
I don't know if I have explained it well, in spanish I could do it better, I think ;-)
Dear Sara
Thanks, what your are saying is correct, but you didn’t get me though;
We all know –also my small girl- that GPO only apply ( Linked ) to Computers, Sites, Domains or OUs, and not to security groups , though I don’t like to use the word Apply but Link, cause in reality you didn’t Apply GPO to Sites, Domains or OUs, but you Link it to Sites, Domains or Ous, and Apply it to Users.
Sorry it’s like philosophy
The thing that was not clear here – and even MS and all the books that I have read didn’t mention-
That you should Move the individual Users – as provided by Jeff - to the OU regardless of the membership of that specific Users.
Hope I flood some light here | |
| jeff_j_black 2003-10-08, 10:24 am |
| quote:
So what's the reason to create a Group in that OU and adding Users to it?
Not to complicate things, but you can filter GPO by security group.
Say you want everyone to have to run command disabled. You make a 'Run Command Disabled' GPO and apply it to the desired container. So let's say you have helpdesk employees in this OU and want to keep them there because you are totally happy with all of the other GPOs that you have linked to that container. But you want helpdesk employees to have access to the run command. You can put all of your helpdesk employees in a security group and deny read and apply permissions for them on the 'Run Command Disabled' GPO. This way they will have all the other desired settings, but because you filtered the 'Run Command Disabled' GPO by using permissions on the helpdesk group, they will have access to the run command.
The biggest most complex, yet simple thing to get your mind around is that every single object in AD has ACL, meaning there is ownership and permissions on everything top to bottom. This is what give Enterperise Admins their juice. This is what gives Domain admins there power. This is how to limit helpdesk and field support techs access to settings that affect the domain or forest.
Simple way to remember what we're discussing:
Link GPO to containers holding computers and users, filter the effects of GPO by security group permissions. | |
| adam salam 2003-10-08, 2:00 pm |
| quote:
Originally posted by jeff_j_black Simple way to remember what we're discussing:
Link GPO to containers holding computers and users, filter the effects of GPO by security group permissions.
That's the point
Thanks everybody | |
| jeff_j_black 2003-10-08, 2:50 pm |
| Keep up the great work everyone! | |
| sara_a 2003-10-09, 6:54 am |
| Thank you all. I don't use to write posts, but I read the 217 forum everyday, and learn a lot. Adam use to ask all the questions that I have, and you give him really good explanations. Thank you Adam, too
Regards | |
|
|
| Jonoplunk 2003-10-13, 9:10 am |
| Hello there,
Just reading through this post, if I am correct the initial goal was to control the GPO by means of Security Groups. I wanted to do this as well. The way I got around it was by it was to assign a GPO to an the entire tree, at the top most level to the objects I wanted to it to affect. I then controlled who the policy applied to by changing permissions to the Group that I wanted the policy to apply to. Not the neatest way of accomplishing the task, but it makes it very easy to control who is affected by the policy, by simply adding or removing people to the Security group.
Hope I haven't strayed from the topic of discussion.
JonP | |
| adam salam 2003-10-13, 1:34 pm |
| quote:
Originally posted by Jonoplunk
Hello there,
Just reading through this post, if I am correct the initial goal was to control the GPO by means of Security Groups. I wanted to do this as well. The way I got around it was by it was to assign a GPO to an the entire tree, at the top most level to the objects I wanted to it to affect. I then controlled who the policy applied to by changing permissions to the Group that I wanted the policy to apply to. Not the neatest way of accomplishing the task, but it makes it very easy to control who is affected by the policy, by simply adding or removing people to the Security group.
Hope I haven't strayed from the topic of discussion.
JonP
It depends on your logical structure of your active directory domain.
I think the way you mentioned here is not practical, what’s the reason of OUs then?
I am not with you in that method of applying GPO, that will effect the network traffic and logon process will be slow if not Very slow.
if you’re a professional (and you should be ) you use containers (OU).
anyway your input is greatly appreciated |
|
|
|
|