I am having trouble filterting a policy. At the root of our OU
structure, I want to apply a policy that makes certain changes to I.E.
However, certain users that belong to a certain group should not
inherit this policy. These users are scattered accross multiple OU's
inheriting the above policy but they are all part of a group. How can
I block this policy based on group membership?

Thanks,
Brian

Hi Brian

You should be able to achieve this by denying Read and Apply for this group.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (E-Mail Removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

"Brian Jorgenson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I am having trouble filterting a policy. At the root of our OU
> structure, I want to apply a policy that makes certain changes to I.E.
> However, certain users that belong to a certain group should not
> inherit this policy. These users are scattered accross multiple OU's
> inheriting the above policy but they are all part of a group. How can
> I block this policy based on group membership?
>
> Thanks,
> Brian

"Mark Renoden [MSFT]" <(E-Mail Removed)> wrote in message news:<#(E-Mail Removed)>...
> Hi Brian
>
> You should be able to achieve this by denying Read and Apply for this group.

By applying deny read, i lose all access to this group, even if the
administrator account is not part of this group.

I have found a diffrent soultion and a diffrent problem. Using Group
Policy Object Editor, I can add groups, users, etc for security
filtering. The filerting only works on built in groups and active
directory users but not on groups that I create. For example, I am
part of Domain Admins and if I add only Domain Admins to the security
filtering, it works. If I had a diffrent group called webusers (which
I am also a member of) it doesn't work. What is happening?
>
> Kind regards
> --
> Mark Renoden [MSFT]
> Windows Platform Support Team
> Email: (E-Mail Removed)
>
> Please note you'll need to strip ".online" from my email address to email
> me; I'll post a response back to the group.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Brian Jorgenson" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> >I am having trouble filterting a policy. At the root of our OU
> > structure, I want to apply a policy that makes certain changes to I.E.
> > However, certain users that belong to a certain group should not
> > inherit this policy. These users are scattered accross multiple OU's
> > inheriting the above policy but they are all part of a group. How can
> > I block this policy based on group membership?
> >
> > Thanks,
> > Brian

On Thu, 26 Aug 2004 08:35:50 +1000, Mark Renoden [MSFT] wrote:

> Hi Brian
>
> You should be able to achieve this by denying Read and Apply for this group.

In fact, denying Apply is enough, and has the benefit that the user can
still read the GPO for reporting and listing/linking.

Cheers,

Kenny.

Kenneth MacDonald <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> On Thu, 26 Aug 2004 08:35:50 +1000, Mark Renoden [MSFT] wrote:
>
> > Hi Brian
> >
> > You should be able to achieve this by denying Read and Apply for this group.
>
> In fact, denying Apply is enough, and has the benefit that the user can
> still read the GPO for reporting and listing/linking.
>
> Cheers,
>
> Kenny.

What about the issue with security groups not working in the scope filtering?

Hi Brian

I'm not sure what the distinction is. Can you explain the two methods
you're attempting to use in more detail?

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (E-Mail Removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

"Brian Jorgenson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Kenneth MacDonald <(E-Mail Removed)> wrote in message
> news:<(E-Mail Removed)>...
>> On Thu, 26 Aug 2004 08:35:50 +1000, Mark Renoden [MSFT] wrote:
>>
>> > Hi Brian
>> >
>> > You should be able to achieve this by denying Read and Apply for this
>> > group.
>>
>> In fact, denying Apply is enough, and has the benefit that the user can
>> still read the GPO for reporting and listing/linking.
>>
>> Cheers,
>>
>> Kenny.
>
> What about the issue with security groups not working in the scope
> filtering?

"Mark Renoden [MSFT]" <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>...
> Hi Brian
>
> I'm not sure what the distinction is. Can you explain the two methods
> you're attempting to use in more detail?

Here is the scoop: i am using Microsoft's Group Policy Management
Tool. On the Scope tab where you can use security filterting, it
specifically says that you can add a group, user, or computer for
filtering. If I had a group, it does not work. It only works on users
and computers. If I had builtin groups like Domain Users, Domain
Admins, then those groups work but any group I create will not work.
What am I missing?
>
> Kind regards
> --
> Mark Renoden [MSFT]
> Windows Platform Support Team
> Email: (E-Mail Removed)
>
> Please note you'll need to strip ".online" from my email address to email
> me; I'll post a response back to the group.
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Brian Jorgenson" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Kenneth MacDonald <(E-Mail Removed)> wrote in message
> > news:<(E-Mail Removed)>...
> >> On Thu, 26 Aug 2004 08:35:50 +1000, Mark Renoden [MSFT] wrote:
> >>
> >> > Hi Brian
> >> >
> >> > You should be able to achieve this by denying Read and Apply for this
> >> > group.
> >>
> >> In fact, denying Apply is enough, and has the benefit that the user can
> >> still read the GPO for reporting and listing/linking.
> >>
> >> Cheers,
> >>
> >> Kenny.
> >
> > What about the issue with security groups not working in the scope
> > filtering?

Brian-
Perhaps the issue here is that this security filtering means that, of the
users and computers who are targeted by a GPO, you can filter among them
using security groups. In other words. Let's say I have a GPO linked to the
Finance OU. And I have a bunch of users and groups in that OU. First off, by
virtue of being linked to that OU, any user policies I set on that GPO will
be processed by all users within that OU. But maybe I only want to apply
that GPO to a subset of the users in that GPO, who happen to belong to the
"Finance Lockdown" security group. I can then use the security filtering
feature in GPMC to control that GPO's effects within that OU. But the key
here is that security filtering must target users and computers that are
already processing the GPO by virtue of their position in AD and where that
GPO is linked. In other words, in my example above, lets say I had another
user, who is in the Engineering OU, but is a member of a security group
(let's call it "Other Users" ) that resides in the Finance OU. Because Group
Policy only applies to user and computer objects, no amount of security
filtering that I do on that Finance GPO for the "Others Users" group will
effect that user in the Engineering OU, because that user is not processing
the GPO linked to the Finance OU.

Well that was a fairly round-about description but hopefully it helps?
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com



"Brian Jorgenson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "Mark Renoden [MSFT]" <(E-Mail Removed)> wrote in message
> news:<(E-Mail Removed)>...
>> Hi Brian
>>
>> I'm not sure what the distinction is. Can you explain the two methods
>> you're attempting to use in more detail?
>
> Here is the scoop: i am using Microsoft's Group Policy Management
> Tool. On the Scope tab where you can use security filterting, it
> specifically says that you can add a group, user, or computer for
> filtering. If I had a group, it does not work. It only works on users
> and computers. If I had builtin groups like Domain Users, Domain
> Admins, then those groups work but any group I create will not work.
> What am I missing?
>>
>> Kind regards
>> --
>> Mark Renoden [MSFT]
>> Windows Platform Support Team
>> Email: (E-Mail Removed)
>>
>> Please note you'll need to strip ".online" from my email address to email
>> me; I'll post a response back to the group.
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Brian Jorgenson" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > Kenneth MacDonald <(E-Mail Removed)> wrote in message
>> > news:<(E-Mail Removed)>...
>> >> On Thu, 26 Aug 2004 08:35:50 +1000, Mark Renoden [MSFT] wrote:
>> >>
>> >> > Hi Brian
>> >> >
>> >> > You should be able to achieve this by denying Read and Apply for
>> >> > this
>> >> > group.
>> >>
>> >> In fact, denying Apply is enough, and has the benefit that the user
>> >> can
>> >> still read the GPO for reporting and listing/linking.
>> >>
>> >> Cheers,
>> >>
>> >> Kenny.
>> >
>> > What about the issue with security groups not working in the scope
>> > filtering?

Perhaps I don't understand everything here, but if you use the GPMC
Delegation tab, you can adjust who can do what to the GPO. One of the
available "permissions" is "Apply Group Policy". If this permission is set
to "Deny" for a particular user account or group, the GPO will not be
applied to that user or the members of that group.

1. select the GPO in the left pane of GPMC
2. select the Delegation tab
3. click the Advanced button at the bottom right
4. if the group you want the GPO NOT to apply to is already present select
it. If the group is not present, use the Add button and add it and make it
the selected group
5. add a check mark to the Deny column on the Apply Group Policy row
6. click OK

Now, any member of the group that has Deny - Apply Group Policy setting will
not have the settings in this particular GPO applied to them even if their
user account is in the "Scope" of the GPO.

http://www.microsoft.com/windows2000...s.asp#heading6
describes this approach, but using the default Group Policy tool from Active
Directory and Computers MMC snap-in (that is replaced when GPMC is
installed). My understanding is that the steps above are the GPMC
equivalent steps to what is described in this document.

See also
http://support.microsoft.com/default...315675&sd=tech.

Note that if the user (or users) are in an OU that is NOT in the scope of
the GPO, adjusting the "Apply Group Policy" permission will not have any
affect because the GPO won't be selected for processing for that user in the
first place. You can't force a GPO to be applied to a user via the GPO
permissions, you can only prevent it from applying to users that would
otherwise have it applied because of the user's account location in the OU
hierarchy.

Keep in mind that only the User Configuration settings are applied on a per
user basis. Settings in the Computer Configuration part of a GPO apply to a
computer no matter who logs on at it.

--
Bruce Sanderson MVP

It is perfectly useless to know the right answer to the wrong question.


"Brian Jorgenson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "Mark Renoden [MSFT]" <(E-Mail Removed)> wrote in message
> news:<(E-Mail Removed)>...
>> Hi Brian
>>
>> I'm not sure what the distinction is. Can you explain the two methods
>> you're attempting to use in more detail?
>
> Here is the scoop: i am using Microsoft's Group Policy Management
> Tool. On the Scope tab where you can use security filterting, it
> specifically says that you can add a group, user, or computer for
> filtering. If I had a group, it does not work. It only works on users
> and computers. If I had builtin groups like Domain Users, Domain
> Admins, then those groups work but any group I create will not work.
> What am I missing?
>>
>> Kind regards
>> --
>> Mark Renoden [MSFT]
>> Windows Platform Support Team
>> Email: (E-Mail Removed)
>>
>> Please note you'll need to strip ".online" from my email address to email
>> me; I'll post a response back to the group.
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Brian Jorgenson" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > Kenneth MacDonald <(E-Mail Removed)> wrote in message
>> > news:<(E-Mail Removed)>...
>> >> On Thu, 26 Aug 2004 08:35:50 +1000, Mark Renoden [MSFT] wrote:
>> >>
>> >> > Hi Brian
>> >> >
>> >> > You should be able to achieve this by denying Read and Apply for
>> >> > this
>> >> > group.
>> >>
>> >> In fact, denying Apply is enough, and has the benefit that the user
>> >> can
>> >> still read the GPO for reporting and listing/linking.
>> >>
>> >> Cheers,
>> >>
>> >> Kenny.
>> >
>> > What about the issue with security groups not working in the scope
>> > filtering?

If you are using a domain local group to filter the policy try adding the users to a
domain global group and give that global group deny permissions to see if that
orks. --- Steve


"Brian Jorgenson" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Kenneth MacDonald <(E-Mail Removed)> wrote in message
> news:<(E-Mail Removed)>...
>> On Thu, 26 Aug 2004 08:35:50 +1000, Mark Renoden [MSFT] wrote:
>>
>> > Hi Brian
>> >
>> > You should be able to achieve this by denying Read and Apply for this group.
>>
>> In fact, denying Apply is enough, and has the benefit that the user can
>> still read the GPO for reporting and listing/linking.
>>
>> Cheers,
>>
>> Kenny.
>
> What about the issue with security groups not working in the scope filtering?