Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Group Policy Security Filtering

Status
Not open for further replies.
Raziel014

Raziel014

Technical User
Nov 1, 2005
51
NO
Hi! I am an administrator of a school. And I'm having a bit of trouble with the Group Policy of my domain.

I can't quite understand how the group policies are functioning. I have two OUs, one for the employees and one for the students.


As you can see, I want to separate the group policies so that the correct policy is set to the correct user group or OU

BUT, even though I select the correct group to a group policy, it doesn't apply! Take the Administrator policy as an example. I want this policy to apply to Administrators ONLY! And yet, when I use the Policy Result Wizard and select any Student User, it says that the Administrator policy is applied to it! Why? I haven't selected any of the users or group to this policy.


This temp user shouldn't have the administrator policy applied at all. In fact this user should have the "not acess to Internet policy" which I have applied using Security Filtering.


So my question is, doesn't this work at all? Or does the Group Policies apply only to OUs?

I'm happy for ANY reply AT ALL! :)
 
Sort by date Sort by votes
First get rid of that administrators policy on top of your domain, make a ou for administrators and place the administrators in that ou you only need one ploicy on top of your domain, here you can handle the account policy's nothing else.

Second all the person's who are in the elev ou will receive the "standardbruker and the "ingen tillgang till internet" policy because you placed the elev ou in the brukere ou.

If you wanna see if your policy, and what policy is applied to a user open a dos promt on the users pc and do gpresult, this wil get you a idee of the groups they are in and the policy's that had applied to the user or computer. If you do gpupdate the policy wil be re applied, so if you run gpresult again you can see what changed.

Take the ou nesting in mind and try again it's a bit hard the frist time u use ou's and policy's but after a view day's of practice you will see you get it the right way.

Regards Lars.

Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
 
Upvote 0 Downvote
Second all the person's who are in the elev ou will receive the "standardbruker and the "ingen tillgang till internet" policy because you placed the elev ou in the brukere ou.
Click to expand...

But isn't that what the Security Filtering is for? You're saying that I can't create a group policy (ingen tilgang til internett) and add single users and/or groups directly to that policy using security filtering? This policy has only incorrent proxy settings, nothing else. I just want the policy to override the "standardbruker" policy's proxy settings. And then just simply add the user/s i want to block access to internett using the security filtering.

And I am using gpresult, cause it's a function in Group Policy Manager.

But you see I've been working on this for about half a year now! ^_^ Well, among MANY other things as well.
Some of the policies work like they should, so the students haven't noticed anything abnormal.
But I'm trying out several things with the policies.

Btw: We're running terminal services with this server, meaning we only have thin clients using the 2003 Server.

Now, the group policy looks like this.
 
Upvote 0 Downvote
When you make a ou you are right clicking the brukere ou and you do New Organisational unit, you are wrong there, you need to right ckick the domain and do new organisational unit, just place all the users who need the equal settings in the same ou and make a policy. Dont nest the groups in one another. This way you can meke thing easy for yourself.

If you have a ou and you have 6 people in the ou who need the proxy settings and 6 of them dont need them, right click the policy and do edit and then the new window opens and do rightclicking the policy on top and do propperties on the security tab do deny read and deny apply group policy to the users witch you dont wanna apply it to and that way it works for me.

Regards lars

Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
 
Upvote 0 Downvote
dont use security filtering for applying policy's to people apply the policy to a ou that's where they are for and place the people in the ou.
And dont place ou's in ou's if you dont understand inheritance of policy's.
Policy's apply from top to bottom if you are in a ou and that uo is in another ou and that ou in another and the first ou says no wallpaper change and the second one says you can change it and the last one says you cant then the last one will overrule the other two, still following me :)

Lars

Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
 
Upvote 0 Downvote
I just want the policy to override the "standardbruker" policy's proxy settings. And then just simply add the user/s i want to block access to internett using the security filtering"

give the users you want to have proxy settings that dont let them connect to the internet deny read and deny apply group policy on the "good proxy settings policy" and vise versa.

I have a msn policy in my domain and the people who can use it are the people who i denyed reading and applying the policy...

Lars


Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
 
Upvote 0 Downvote
Ok, so the easiest thing to do would be to create an OU which i can call say "Ingen tilgang til Internett" and then just place the users i want no access to Internet in that OU?

Then I understand.

Btw: I can't just apply not read on the policy of every user, cause there are MANY users! It would be easier to have everyone not have access to the policy and then remove the non access for the users I want to have access. Yeah.

So I think I'll go for the new OU method. Creating a new OU which have a policy IDENTICAL to the "Standardbruker" policy, only with wrong proxy settings. I guess that would be the easiest way of doing it.
 
Upvote 0 Downvote
You dont have to apply read on the policy that must be applyed to a user all my security filtering ara on the default "AUTHENTICATED USERS"
You need to read my comments better....

Lars.

Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
 
Upvote 0 Downvote
So "authenticated users" includes all domain user accounts and computers accounts that have been authenticated by the domain controller on the network then huh?

So that's why a group policy linked to an OU applies to all users in that container. In other words, say if I have an OU and on or more child OUs and have a GPO linked to the first OU, it's not a good idea to link another GPO to the child OU? Cause the first GPO will override the second GPO anyway?

Unless i remove the "authenticated users" from the security filtering then? But that's not a good idea anyway since it can cause chaos if I'm to look for error at a later stage.

So I'll just go for the new OU then as i said before. It's the easiest thing to do and makes it cleaner and tidier.
And I would read your comments better if you use correct grammar. It's very hard to understand anything when you write without commas and sortof push one or more sentences into one sentence.
But it's all right! :) I got what you were telling me and learned alot from you!
 
Upvote 0 Downvote
That's treu, the second gpo is overriding the first, but only if you have conflicting policy's in them. Just find the biggest possible group make a ou for them and if you wanna link a "default users policy" to it and a second "proxy settings" linked to it that's just for a view people, make the "proxy settings" second one to apply and give the users who dont need it deny read and deny apply group policy.

I had a course that took a week for learning this and after that i had to studie this at home did the exam end inj real world i even had soem problems roling it out in my domains. Its just a hard thing playing around will get you where you wanna be on this.

(i took some grammer lessons to, thats one thing i will never learn, i am sorry)

Regards Lars

Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
 
Upvote 0 Downvote
By the way;

Lets say you have a group sales workers, and, lets say, ten people are working in a project that needs a application installed on their machine.
This is where i should make a child ou under the sales ou, place the sales people who need the application in that ou, and link a gpo to the child ou that wil publish the application to the child ou users.
All the sales users are having the same gpo applyed and the child ou users have their application.
In this situation it has a clear meaning and after the project is done you move the child ou users back to their parent ou.

Regards Lars.

Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
 
Upvote 0 Downvote
I just did it this way now.


Now I have an OU called "Ingen tilgang til internett" which is completely separated from the other GPOs except local policy and domain and domain controller policy which doesn't have any perticular settings anyway.

The only thing now is that i need to make the same settings in this new policy (ingen tilgang til internett) as in the "standardbruker" policy.

This is actually ok cause I'm now the only admin here at this school and the other one needs to learn this too. He's actually my boss (main admin), and he understood this when I did it this way. :)

So I know I could have just messed around with the rights and stuff, but I prefer to keep it as simple as possible. KISS (keep it simple stupid) ;)
 
Upvote 0 Downvote
I would place the administrators ou completely seperate from the brukere ou, like the domaincontrollers ou, cause the administrators aint normal brukere users.
Place ingen tillgang till internet ou onder the brukere ou (at the bottom)

This way the standard brukere gpo is applyed to the ansatt, elev and ingen tillgang till internet ou's.


and link the "ingen tillgang till internet " gpo to the ingen tillgang till internet ou, if there are no other settings then the proxy setting you are talking about. this way the standard brukere gpo would apply to the ingen tillgang till internet users to, they are "standard brukere" as well i asume.

Good luck, Lars

Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
 
Upvote 0 Downvote
You wouldn't by any chance know of any way to make sure that users who are disconnected automaticly gets logged off?

Cause now when a user logges in and walks away from the terminal, he gets disconnected. But that means that no other than that user or an administrator can open the client again!
 
Upvote 0 Downvote
Btw: The Administrator users don't get the "standardbruker" policy because i removed the "authenticated users" with security filtering within the "standardbruker" policy.

I have used the Group Policy result wizard and I see what policies are applied to certain users etc. And it works fine.
 
Upvote 0 Downvote
Ok, I have found out something important now. We have Novell on our school with ZENworks if you've heard about it. It's sorta the same system as AD and there we have policy packages that set proxy! I found this out by logging on my test user on the workstation only and the policy for no access to Internet worked! And i logged off and tried logging on WITH Novell the next time (nothing changed in AD or GPO) and suddently the proxy WAS set to the correct!

This only means that we need to get a newer version of ZENworks that can understand the difference between XP and 2003 Server, cause the one we have now thinks that any user that loggs on the 2003 server is a user logging on to an XP machine!

But again,

What's also interesting is that when i run the GPO result wizard on the user I'm testing, proxy settings don't appear! And I can't understand why!


This is with administrator logged in and has nothing to do with Novell. What could be the reason for this? Is it possible that the Novell ZENworks policies interfeire with 2003 Servers policies?
 
Upvote 0 Downvote
Ill dont know but isn't it difficult enough the way it was without novel interfering in this policy area.

Ill see that you have you own idea's about things and that's good. The way i showed you is microsoft best practice and if you have your own idea's about thing's you need to play around and find out why you should do things the way you should.

have fun !

Lars.



Network admin for worldwide freight forwarders company.
mcp mcsa\: Messaging mcse -2003
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rrmcguire
  • Locked
  • Question
group policy to set dns
Replies
2
Views
370
rrmcguire
rrmcguire
amanua
  • Locked
  • Question
Event ID 4776 Security Log
Replies
0
Views
233
amanua
amanua
phil3000
  • Locked
  • Question
Screensaver Via Group Policy
Replies
1
Views
251
markdmac
markdmac
cabraun
  • Locked
  • Question
Group Policy Question (Set System Variable)
Replies
2
Views
198
markdmac
markdmac
usrinu
  • Locked
  • Question
applied wallpaper group policy
Replies
1
Views
186
SamBones
SamBones

Part and Inventory Search

Sponsor

Back
Top