Security Filtering for specific "Links" instead of "GPO"

G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have a GPO that uses Security Filtering so that it does not apply to a
particular group of users (Apply Group Policy set to Deny for that
particular security group). The GPO is linked to an OU that has two
subordinate OUs. The settings in the GPO are behaving as intended - the
settings apply to every user except members of the group that has the Deny
setting.

Now, what I would like to do is to change the security group that has the
Apply Group Policy Deny setting for one of the subordinate OUs, but not the
other.

Is there a way to do this without having a second GPO that is identical to
the first except for the difference in the Security Filtering? Or, is there
a different mechanism that can be used to prevent the GPO settings being
applied to particular Security Groups at the subordinate OU level?

The GPO applies User settings. The OU it is linked to has subordinate OUs
that have subsets of Windows 2003 Servers running Terminal Services and
Citrix. A separate GPO, linked to the same OU, enables LoopBack processing
for these OUs, so that the User settings are applied when users logon via
the RDP or ICA client.

The OU hierarchy is:

Terminal Servers - has the LoopBack GPO and the User Settings GPO linked
here
|__Set One - contains the computer accounts for a set of Windows 2003
Servers running Terminal Services for Office etc.
|__Set Two - contains the computer accounts for a set of Windows 2003
Servers running Terminal Services for a custom application

The User settings in the GPO do some "lock down" that we don't want applied
to the administrators; the Security Filtering Deny Apply Group Policy
setting accomplishes this, but we've decided that a different group of
people are to be administrators for each set of servers, thus the question.

--
Bruce Sanderson MVP (Printing)

It's perfectly useless to know the right answer to the wrong question.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Settings in the GPO and the ACL for the GPO are not able to be separated for
each link. The link is just a pointer to the GPO. So, you will need to
create two GPOs.

--
Derek Melber
BrainCore.Net
derekm@braincore.net
"Bruce Sanderson" <Bruce.Sanderson@junk.junk> wrote in message
news:OemmoKGNEHA.556@tk2msftngp13.phx.gbl...
> I have a GPO that uses Security Filtering so that it does not apply to a
> particular group of users (Apply Group Policy set to Deny for that
> particular security group). The GPO is linked to an OU that has two
> subordinate OUs. The settings in the GPO are behaving as intended - the
> settings apply to every user except members of the group that has the Deny
> setting.
>
> Now, what I would like to do is to change the security group that has the
> Apply Group Policy Deny setting for one of the subordinate OUs, but not
the
> other.
>
> Is there a way to do this without having a second GPO that is identical to
> the first except for the difference in the Security Filtering? Or, is
there
> a different mechanism that can be used to prevent the GPO settings being
> applied to particular Security Groups at the subordinate OU level?
>
> The GPO applies User settings. The OU it is linked to has subordinate OUs
> that have subsets of Windows 2003 Servers running Terminal Services and
> Citrix. A separate GPO, linked to the same OU, enables LoopBack
processing
> for these OUs, so that the User settings are applied when users logon via
> the RDP or ICA client.
>
> The OU hierarchy is:
>
> Terminal Servers - has the LoopBack GPO and the User Settings GPO linked
> here
> |__Set One - contains the computer accounts for a set of Windows 2003
> Servers running Terminal Services for Office etc.
> |__Set Two - contains the computer accounts for a set of Windows 2003
> Servers running Terminal Services for a custom application
>
> The User settings in the GPO do some "lock down" that we don't want
applied
> to the administrators; the Security Filtering Deny Apply Group Policy
> setting accomplishes this, but we've decided that a different group of
> people are to be administrators for each set of servers, thus the
question.
>
> --
> Bruce Sanderson MVP (Printing)
>
> It's perfectly useless to know the right answer to the wrong question.
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks Derek. I suspected as much!

--
Bruce Sanderson MVP

It's perfectly useless to know the right answer to the wrong question.


"Derek Melber [MVP]" <derekm@braincore.net> wrote in message
news:OfrMumSNEHA.3572@tk2msftngp13.phx.gbl...
> Settings in the GPO and the ACL for the GPO are not able to be separated
for
> each link. The link is just a pointer to the GPO. So, you will need to
> create two GPOs.
>
> --
> Derek Melber
> BrainCore.Net
> derekm@braincore.net
> "Bruce Sanderson" <Bruce.Sanderson@junk.junk> wrote in message
> news:OemmoKGNEHA.556@tk2msftngp13.phx.gbl...
> > I have a GPO that uses Security Filtering so that it does not apply to a
> > particular group of users (Apply Group Policy set to Deny for that
> > particular security group). The GPO is linked to an OU that has two
> > subordinate OUs. The settings in the GPO are behaving as intended - the
> > settings apply to every user except members of the group that has the
Deny
> > setting.
> >
> > Now, what I would like to do is to change the security group that has
the
> > Apply Group Policy Deny setting for one of the subordinate OUs, but not
> the
> > other.
> >
> > Is there a way to do this without having a second GPO that is identical
to
> > the first except for the difference in the Security Filtering? Or, is
> there
> > a different mechanism that can be used to prevent the GPO settings being
> > applied to particular Security Groups at the subordinate OU level?
> >
> > The GPO applies User settings. The OU it is linked to has subordinate
OUs
> > that have subsets of Windows 2003 Servers running Terminal Services and
> > Citrix. A separate GPO, linked to the same OU, enables LoopBack
> processing
> > for these OUs, so that the User settings are applied when users logon
via
> > the RDP or ICA client.
> >
> > The OU hierarchy is:
> >
> > Terminal Servers - has the LoopBack GPO and the User Settings GPO linked
> > here
> > |__Set One - contains the computer accounts for a set of Windows 2003
> > Servers running Terminal Services for Office etc.
> > |__Set Two - contains the computer accounts for a set of Windows 2003
> > Servers running Terminal Services for a custom application
> >
> > The User settings in the GPO do some "lock down" that we don't want
> applied
> > to the administrators; the Security Filtering Deny Apply Group Policy
> > setting accomplishes this, but we've decided that a different group of
> > people are to be administrators for each set of servers, thus the
> question.
> >
> > --
> > Bruce Sanderson MVP (Printing)
> >
> > It's perfectly useless to know the right answer to the wrong question.
> >
> >
> >
>
>