Archived from groups: microsoft.public.win2000.security (
More info?)
"Paul Adare" wrote:
> In article <8B215909-AC33-4C05-BA8C-ACA9DF1C08FE@microsoft.com>, in the
> microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=
> <Smurfman@discussions.microsoft.com> says...
>
> So you're going to explain to me how Group Policy works now? Ok.
Listen I am not trying to pick a fight here.
>
> Let's start with getting some basic terminology sorted out:
>
> > If you create a Policy
>
> You never create a Policy, you create a Group Policy Object, and that
> GPO will contain various settings.
When I say Policy, I mean it in a broad sense, I am referring to the GPO,
which as you admitted defaults to "apply" to the Authenticated Users. Based
on what I am seeing, you can perform Filtering by removing the Authenticated
Users from the list, and assign a specific "group" that you would like to
apply the "policy" (GPO containing the set of templates in which settings
have been made) to.
>
> > the permissions to Read and Apply that policy may
> > typically be the Authenticated Users Group.
>
> The default DACL on a GPO do in fact include Authenticated Users with
> Read and Apply, correct.
>
> > However, if you modify the
> > policy and add the disired groups to that policy to apply the policy to that
> > specific group instead of the global Authenticated Users group, and either
> > apply the policy to the GPO that specific users are a member of,
>
> One cannot be a member of a GPO.
>
When I say add a desired group to a GPO, the above was what I was referring
to, I think if you attempt to read to much into the terminology, you miss the
basics of what I am asking, that was why I posted the question in the first
place. Realizing of course that if I add a group, users whatever to the
Security of the GPO to APPLY (better verbiage?), then in any place that I
apply that GPO to an OU, then the groups and users will specifically get the
"settings" contained in that GPO (or as I like to say the policy). A good
example, might be to publish the Active Directory Admin Tools to your admins,
you create a Domain Policy (GPO) and then remove the Authenticated Users, but
add only your Admins to apply the policy to, so that the Published Software
is installed.
> > or apply it
> > to a default domain policy, then only the groups or members that are listed
> > on the permissions tab will have the policy applied to them.
>
> Correct, assuming of course the the GPO is linked somewhere that the
> user or computer will even be able to process it in the first place.
>
> For example, if you have OUA and OUB, both at the same level in the
> domain, and you have userB in OUB. You create a GPO and set the
> permissions on the GPO such that userB has Read and Apply permissions,
> it won't matter how often you log on with the userB account, nor what
> the permissions are on the GPO, userB will never process the GPO. Taking
So is the GPO just created on the Group Policy tab of the OUB? If it is, I
would disagree that it would not work. A good example of this might be a
custom desktop picture. Globally for the domain you lock down any changes to
the display, and background. But on an OU level you create a GPO called
"userB" make userB the only user that the GPO is Applied to. In the Desktop,
you define a custom desktop picture, and path. I do this now, who gets the
picture? Only userB, even though in the OU there are lots of other users. So
I must be mis-understanding what you are saying above.
> this one step further, you create a group in OUA and make userB a member
> of that group, and change the permissions on the GPO linked to OUA such
> that the group in OUA that has userB as a member has Read and Apply
> permission, that GPO will _still never_ be processed by userB.
I understand what you are saying here, since a user can only be a member of
1 OU, the GPO can only be applied to that OU in which the user would be a
member of. BUT, in my model I am not creating Groups that spread across
OU's. In OUA, I would have a GROUP called OUAUsers in which I would add all
of the users in that OU to that group, that I would want applied. In OUB, I
have another group called OUBUsers with all of those users from that OU in
it. I create a GPO that has both of those Groups as part of the Apply rather
than the Authenticated Users by default, I also Deny the GPO to the Domain
Admins and Enterprise Admins for Apply but leave the read write change the
same. I apply the GPO to both OUs (OUA and OUB) Now suppose I want to add a
user to OUA, but not have that GPO apply to them. Poof, already done, even
though they are a member of that OU, I bypass them in the application of the
GPO, because I did not make them a member of the OUAUsers or OUBUsers to whom
the GPO is being applied. An example might be someone who is part of that
OU, who has Admin rights whereby you might not want to lock them down, but
keep them part of that OU for organizational reasons.
>
> >
> > In my example, the OU "Shipping Department" has in the container the Group
> > "Shipping" and User1 and User2. User1 and User2 are also members of the
> > Group "Shipping". If I create a GPO and apply it to the OU, the default
> > setting will be for Authenticated Users to Read and Apply. But suppose that
> > I only want to apply the policy to User2, perhaps it is a very custom setup
> > of there environment, etc etc. I can remove the Authenticated Users from
> > the Permissions Tab, and add only User2 for Apply. Thereby skipping any
> > policy application on User1. Or, if I specifically want a group, so that no
> > matter who gets added to the group, all objects in that group can have the
> > policy applied to them. This would be particularly useful when placing a GPO
> > on the Domain Level for specific groups to be applied to (but not all
> > Authenticated Users) and thereby reduce the need to link each OU with the
> > GPO, you can do it from one place, but have it only apply to those groups
> > containing those users and/or computers that you have assigned to it.
>
> Once again, you do not assign a GPO to a group. You can certainly use
> the DACLs on a GPO to filter which users and computers the GPO will be
> processed by, but only if that GPO is linked in the directory in a
> location that the user or computer account would process the GPO in the
> first place.
> >
Don't get caught up on semantics...I think you understood what I was
attempting to say. Filter is the correct word, you are right.
> > "You put things you want to control in an OU. Then you grant control to a
> > group." -MArk Minasi. Basically assigning permissions for folders, shares
> > etc etc including applying a GPO (hence the name GROUP Policy Object). You
> > can not assign an OU Permissions, but you can control the members and groups
> > of that OU with a Policy.
>
> Sorry sport, but the Group part of Group Policy has nothing to do with
> groups that contain user or computer accounts. Its name arises from the
> fact that you can GROUP policy settings into objects known as Group
> Policy Objects.
>
By the way, you never answered my original question, rather you attacked how
YOU might have done something or how you thought it should have been done.
> >
> > "Paul Adare" wrote:
> >
> > > In article <22EC86FC-D478-4A8F-AC42-862FDEA06AE6@microsoft.com>, in the
> > > microsoft.public.win2000.security news group, =?Utf-8?B?U211cmZtYW4=?=
> > > <Smurfman@discussions.microsoft.com> says...
> > >
> > > > Thanks, so barring adding each computer to the policy where I think a user
> > > > might log into, would this work: Adding the Computers to the Groups in which
> > > > the policy is applied to.
> > >
> > > Group Policy I s not applied to groups, you have a fundamental
> > > misunderstanding on how Group Policy works.
> > >
> > > > So that an OU called "Shipping Department" has a
> > > > group assigned to it called "Shipping". Members of the Shipping group are
> > > > user1 and user2. A policy is created with Permissions to apply a Trusted
> > > > Root Certificate to the Shipping Group,
> > >
> > > As above, this isn't the way Group Policy works.
> > >
> > > > which would install the certificate I
> > > > want but only for those particular users. Am I correct in saying that I
> > > > should just add the computers that are physically located in the Shipping
> > > > Department to the group Shipping, so that all Computer Policies are applied
> > > > to the machine?
> > >
> > > The GPOs that are applied to a user or computer have nothing to do with
> > > the group membership of that user or computer (except that you can
> > > control whether or not a GPO can be processed through the use of ACLs on
> > > the GPOs). The location of the user or computer account in the directory
> > > determines which GPOs will be processed.
> > > >
> > > > I kind of thought that the computer policies would apply to the computer
> > > > that a particular user logged into, not the a specific computer? Can we
> > > > verify this? That link that I included for accomplishing these steps, said
> > > > nothing about adding specific users, in fact it was a Default Domain Policy?
> > >
> > > The Default Domain Policy, being at the highest level in the domain
> > > tree, will be processed by all users and computers in the domain.
> > >
> > > In your case, you need to examine the OUs that contain the computer
> > > accounts of the computers that these users will be using, and then use a
> > > GPO that is high enough in the domain tree to be processed by these
> > > computers.
> > >
> > > You should read up on Group Policy. There is a lot of good information
> > > on how this works on the Microsoft web site.
> > >
> > > --
> > > Paul Adare
> > > "On two occasions, I have been asked [by members of Parliament],
> > > 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> > > will the right answers come out?' I am not able to rightly apprehend
> > > the kind of confusion of ideas that could provoke such a question."
> > > -- Charles Babbage (1791-1871)
> > >
> >
>
> --
> Paul Adare
> "On two occasions, I have been asked [by members of Parliament],
> 'Pray, Mr. Babbage, if you put into the machine wrong figures,
> will the right answers come out?' I am not able to rightly apprehend
> the kind of confusion of ideas that could provoke such a question."
> -- Charles Babbage (1791-1871)
>