GPO apply to Universal Group ?

[George]

Hi ,

1) Can I set up a GPO and apply to an universal group ? I believe not as I
think domain is the boundary for GPOs . Am I correct ?

2) I have a W2K terminal server that will be accesed by users in the same
forest but from different domains.There is a GPO set up to lock down this
server and this GPO applies to an universal group . The policy setting (
template ) is aimed at user and not machine. This lockdown policy doesn't
seem to work properly ( that is , the policy does apply based on secedit
result but the lock down didn't take effect correctly. What could be wrong ?

3) Is ther any other way to acheive this ?

Any help is appreciated.

George

 

[Todd J Heron]

Hi,

) Can I set up a GPO and apply to an universal group ? I believe not as I
think domain is the boundary for GPOs . Am I correct ?

You cannot apply GPO to groups. GPOs only to Local Machine, Site, Domain or
OU. OUs hold user accounts and computers to which GPOs get applied. You
can filter GPOs to not apply to the objects or put them in a Universal group
if you wish and not have the GPO apply to it. A domain is the management
boundary for GPOs. But you're mixing that up with the whole idea of what a
GPO actually applies to.

2) I have a W2K terminal server that will be accesed by users in the same
forest but from different domains.There is a GPO set up to lock down this
server and this GPO applies to an universal group . The policy setting
(template ) is aimed at user and not machine. This lockdown policy doesn't
seem to work properly ( that is , the policy does apply based on secedit
result but the lock down didn't take effect correctly. What could be wrong
?

You need to leverage Group Policy Loopback Processing Mode. It effectively
takes the 'User Configuration' settings from a GPO and applies (merges) it
to the computer object instead of to the user. Check out the links below
for further information.

Loopback Processing of Group Policy:
http://support.microsoft.com/kb/231287/EN-US/

Locking Down Windows Server 2003 Terminal Server Sessions
http://www.microsoft.com/windowsserver2003/techinfo/overview/lockdown.mspx

How to apply Group Policy objects to Terminal Services servers:
http://support.microsoft.com/default.aspx?scid=kb;en-us;260370

3) Is ther any other way to acheive this ?

Not that I know of.

 

[Herb Martin]

Hi ,

1) Can I set up a GPO and apply to an universal group ? I believe not as I
think domain is the boundary for GPOs . Am I correct ?

Technically no, but you can achieve that effect
through filtering.

GPOs are not assigned or linked to groups but to
Domains and OUs (or Sites).

By setting the permissions you can however remove
the default "everyone" (Apply_Policy) permission
and set that only for the Universal group to which you
wish it to apply (along with Read.)

Although this might not be best way to carry out
your goal.

2) I have a W2K terminal server that will be accesed by users in the same
forest but from different domains.There is a GPO set up to lock down this
server and this GPO applies to an universal group .

GPOs set to affect a COMPUTER will not be based
on the User account though.

GPOs set to affect users need to be applied when they
logon to their own domain and will NOT be the same
GPOs across domains (or at least the same application)
since GPOs do NOT inherit across domains.
(You can copy and/or link them to multiple domains
however.)

There is an exception to the above, "Loop back processing"
where you recalculate the USER GPO set of policies based
on the computer account.

The policy setting (
template ) is aimed at user and not machine. This lockdown policy doesn't
seem to work properly ( that is , the policy does apply based on secedit
result but the lock down didn't take effect correctly. What could be wrong

?

It will usually have to be linke through EACH domain
separately (unless you use loop back processing.)

3) Is ther any other way to acheive this ?

What precisely is "this"?

 

[George]

Thnaks both of you gentlemen ( Herb & Todd ).

I have read the articles and would like to assure that my understanding is
correct :

My original question:
" I have a W2K terminal server that will be accesed by users in the same
forest but from different domains.There is a GPO set up to lock down this
server and this GPO applies to an universal group . The policy setting (
template ) is aimed at user and not machine. "

My objective is :-
To permission ( security filter ) user from an Universal Group to have the
same machine setting as well as their own "User" setting from other GPOs
that apply to users,

Then I could :
- put this machine in its own OU ( not strictly necessary , but more
flexible )
- apply the GPO to lockdown the machine ( a terminal server ) in Loopback
processing mode and in Merge mode.

George

 

[Herb Martin]

Thnaks both of you gentlemen ( Herb & Todd ).

I have read the articles and would like to assure that my understanding is
correct :

My original question:
" I have a W2K terminal server that will be accesed by users in the same
forest but from different domains.There is a GPO set up to lock down this
server and this GPO applies to an universal group . The policy setting (
template ) is aimed at user and not machine. "

That would be "Universal group has Permissions" --
the GPO can not be linked to a Group, it must be
linked to either of a Site, Domain, or OU.

Since users are from different domains, only the
Site would be able to apply to users from anywhere
in the forest.

The other choices, would require linking the GPO
to the Domain or OU in each domain (of relevant
users.)

My objective is :-
To permission ( security filter ) user from an Universal Group to have the
same machine setting as well as their own "User" setting from other GPOs
that apply to users,

The above is (nearly) incomprehensible.

Computer and User settings are distinct
(even though they can be set in the same
GPO.)

Then I could :
- put this machine in its own OU ( not strictly necessary , but more
flexible )
- apply the GPO to lockdown the machine ( a terminal server ) in Loopback
processing mode and in Merge mode.

This will apply the GPOs linked to the computer's
containers to the user -- but of course the settings
will be those of the User portion.

 

[George]

Herb , thank you for your explanation one more time ( and your patience
too ).

I fully understand that GPO are "linked" to either site , domain and Ous .
When I said "apply " I actually mean the normal "AGP" and "Read"
permissioning ( security filtering ).

My last and only question is whether I can AGP ( Apply Group Policy )
through permission and security filtering to an Universal group ? ( Whether
the policy is Loopback Process mode or not is anothe question.) And if the
answer is yes and since my GPO is linked to an OU and will not be processed
"across" domain, does it mean that only the users who are members of the
linked GPO OU domain ( my own domain ) will processed the GPO while users
from other domains but in the same universal group will not ?

Appreciate your opinion.

George

 

[Herb Martin]

Herb , thank you for your explanation one more time ( and your patience
too ).

I fully understand that GPO are "linked" to either site , domain and Ous .
When I said "apply " I actually mean the normal "AGP" and "Read"
permissioning ( security filtering ).

Then just call it filtering so that it will apply
to those groups (only.)

The terms Enable, Link, Filter, & Apply all have
specific technical meanings as related to GPOs.

My last and only question is whether I can AGP ( Apply Group Policy )
through permission and security filtering to an Universal group ?

Yes -- you can CONTROL the application of that
policy through permissions, granting both READ
and Apply to any group which should use it and
removing the apply (or both) permission from any
which should not.

Typical is to remove the permissions for Everyone,
Add the permissions (R, AGP) for the SPECIFIC
group, and DENY_AGP for the Admins (who otherwise
have full control.)

With READ, the admins can still read the policy but
no absent the (denied) AGP it will not affect them.

Whether
the policy is Loopback Process mode or not is anothe question.)

Yes, this is how the application will be attempted,
or how (in some sense) the linkage will be calculated
or implemented.

And if the
answer is yes and since my GPO is linked to an OU and will not be processed
"across" domain,

No, since an OU can only be in one Domain it
will only apply to objects in that container, or
in the case of Loopback to users who are at a
machine in that container....

AS LONG as the permissions allow this application.

does it mean that only the users who are members of the
linked GPO OU domain ( my own domain ) will processed the GPO while users
from other domains but in the same universal group will not ?

See above.

Appreciate your opinion.

It's not an opinion.