[gptalk] Re: permissions and gpos
- From: "Nelson, Jamie" <Jamie.Nelson@xxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Fri, 17 Oct 2008 15:13:46 -0500
From what you explained in your first post it sounds like you are trying
to deny computer policy from being applied based on a group of user
accounts. If that is the case, it won't work.
When group policy processes computer configuration settings, it doesn't
care what user is logged on. It is running under the NT AUTHORITY\SYSTEM
principal which is the equivalent of the computer's object in AD
(COMPUTERNAME$). So, you would need to deny a security group containing
the computer objects, not users.
If you're trying to get certain user policies to apply based on the
computer they're logging into, you need to look into enabling loopback
processing mode. This is common for lab, kiosk, and terminal server
scenarios, and since you mentioned a "lab" OU, it might be what you're
after.
Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel | Devon
Energy Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 |
http://www.dvn.com <http://www.dvn.com/>
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Bean, Scott
Sent: Friday, October 17, 2008 1:00 PM
To: 'gptalk@xxxxxxxxxxxxx'
Subject: [gptalk] Re: permissions and gpos
After looking at this for a bit, here is what I have come up with. Here
is my setup. At the root of the domain I have a policy. Under the OU of
Test I have a policy. Under the OU Lab (which is an OU inside of Test)
I have a policy.
Domain policy has computer and user settings
Test OU policy has computer and user settings
Lab OU policy only has user settings
If I don't put Authenicated Users as "apply group policy" allow on the
Test OU (even though I have a group that my test user is in with the
same settings) then that policy doesn't get applied nor does the policy
on the Lab OU. If I run the Results wizard on this machine with my test
user, without authenticated users then I get the following:
Under the computer config summary \ Group Policy Objects \ Applied GPOs
I get the default Domain Policy (but this policy has authenticated users
"apply group policy")
Under the computer config summary \ Group Policy Objects \ Denied GPOs
Name
Link Location
Reason Denied
Local Group Policy
Local
Empty
{E12678B5-A484-4084-B0B2-9868F6ECDF9B}
Root domain/Test/
Inaccessible
{BD2C1ECB-FEF4-4AB3-B4B3-6D2D9673D858}
Root domain/Test/Lab
Inaccessible
And under the User config these 2 policies don't even show up.
Now if on the test OU I add authenticated users and "apply group policy"
set to allow here is what happens:
Under the computer config summary \ Group Policy Objects \ Applied GPOs
I get the default Domain Policy (which has the authenticated users
"apply group policy" set to allow)
I also get the Test OU Policy (which now has the authenticated users
"apply group policy" set to allow)
Under the User config I now get all 3. Despite the fact that on the Lab
OU Policy all I do not have authenticated users set but I do have the
group my user is in set to allow "apply group policy"
Also if I take a user that has deny on the Test OU policy it applies the
computer config but only denies the user config, should it not deny the
whole policy?
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, October 17, 2008 11:12 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: permissions and gpos
Scott-
This should work if I understand your scenario. How have you granted the
deny ACE? What are you denying? Have you looked at the Effective
Permissions tab in the ACL editor to see if it thinks that your computer
in question has the correct rights?
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Bean, Scott
Sent: Friday, October 17, 2008 7:57 AM
To: 'gptalk@xxxxxxxxxxxxx'
Subject: [gptalk] permissions and gpos
I have been upgrading my policies to the new vista format. I have a
seemingly simple question about permissions. How do I stop the computer
configuration from being applied to certain groups. I have to put
authenticated users as apply for the computer configuration to take
place. But if I have a nested group and set that as deny it still gets
the computer configuration, which has caused a huge problem and headache
this Friday morning.
Basically I have a policy that I want one nested group to get but not
another.
Thanks in advance,
Scott
Confidentiality Warning: This message and any attachments are intended only for
the use of the intended recipient(s), are confidential, and may be privileged.
If you are not the intended recipient, you are hereby notified that any review,
retransmission, conversion to hard copy, copying, circulation or other use of
all or any portion of this message and any attachments is strictly prohibited.
If you are not the intended recipient, please notify the sender immediately by
return e-mail, and delete this message and any attachments from your system.
Other related posts:
