[gptalk] Re: permissions and gpos
- From: "Bean, Scott" <Scott.Bean@xxxxxxxxxxxxxxxxxx>
- To: "'gptalk@xxxxxxxxxxxxx'" <gptalk@xxxxxxxxxxxxx>
- Date: Fri, 17 Oct 2008 13:59:48 -0400
After looking at this for a bit, here is what I have come up with. Here is my
setup. At the root of the domain I have a policy. Under the OU of Test I have
a policy. Under the OU Lab (which is an OU inside of Test) I have a policy.
Domain policy has computer and user settings
Test OU policy has computer and user settings
Lab OU policy only has user settings
If I don't put Authenicated Users as "apply group policy" allow on the Test OU
(even though I have a group that my test user is in with the same settings)
then that policy doesn't get applied nor does the policy on the Lab OU. If I
run the Results wizard on this machine with my test user, without authenticated
users then I get the following:
Under the computer config summary \ Group Policy Objects \ Applied GPOs
I get the default Domain Policy (but this policy has authenticated users "apply
group policy")
Under the computer config summary \ Group Policy Objects \ Denied GPOs
Name
Link Location
Reason Denied
Local Group Policy
Local
Empty
{E12678B5-A484-4084-B0B2-9868F6ECDF9B}
Root domain/Test/
Inaccessible
{BD2C1ECB-FEF4-4AB3-B4B3-6D2D9673D858}
Root domain/Test/Lab
Inaccessible
And under the User config these 2 policies don't even show up.
Now if on the test OU I add authenticated users and "apply group policy" set to
allow here is what happens:
Under the computer config summary \ Group Policy Objects \ Applied GPOs
I get the default Domain Policy (which has the authenticated users "apply group
policy" set to allow)
I also get the Test OU Policy (which now has the authenticated users "apply
group policy" set to allow)
Under the User config I now get all 3. Despite the fact that on the Lab OU
Policy all I do not have authenticated users set but I do have the group my
user is in set to allow "apply group policy"
Also if I take a user that has deny on the Test OU policy it applies the
computer config but only denies the user config, should it not deny the whole
policy?
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Friday, October 17, 2008 11:12 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: permissions and gpos
Scott-
This should work if I understand your scenario. How have you granted the deny
ACE? What are you denying? Have you looked at the Effective Permissions tab in
the ACL editor to see if it thinks that your computer in question has the
correct rights?
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Bean, Scott
Sent: Friday, October 17, 2008 7:57 AM
To: 'gptalk@xxxxxxxxxxxxx'
Subject: [gptalk] permissions and gpos
I have been upgrading my policies to the new vista format. I have a seemingly
simple question about permissions. How do I stop the computer configuration
from being applied to certain groups. I have to put authenticated users as
apply for the computer configuration to take place. But if I have a nested
group and set that as deny it still gets the computer configuration, which has
caused a huge problem and headache this Friday morning.
Basically I have a policy that I want one nested group to get but not another.
Thanks in advance,
Scott
Other related posts:
