GPO not applied in special security context

  • Thread starter Torsten Valentin
  • Start date
T

Torsten Valentin

Hello!
I have to ensure that a GPO is applied to certain hosts only. These host are
to be determined by membership of a group, _ not _ by moving the host out of
"computer" into a different OU.
To achieve this, I bound the GPO ("MyGPO") to the Domain root and modified
the security-settings of that GPO in the following way:
-removed "read" and "apply" from "authenticated users" (did NOT set any deny
flag!)
-added the group "GR test"
-set Security-settings "read" and "apply" to "GR test"

Then I added a number of hosts to group "GR test". However, the problem is,
that the GPO "MyGPO" is not applied to hosts that are members of the group
"GR test" (GPResult says: "Filtering: Refused (security)"). If (in the GPOs
security settings) I delete the group "GR test" again and add the group
"Authenticated users" again (and set read and apply permissions), the GPO is
used properly. Likewise, if I do this with one of the hosts itself that is a
member of the group "GR test". But I cannot get it working by adding a group
to the GPOs security settings.
This is really killing me.
Thanks in advance for any help!
T.
 
D

Dmitry Korolyov

Do you have more than one domain?
Do you use domain local groups for security filtering?
Use global groups for GPO security filtering.

--
Dmitry Korolyov
(e-mail address removed)
To e-mail me, remove "nospamformorons"
from the address.


"Torsten Valentin"
 
T

Torsten Valentin

Do you have more than one domain?
No.
Do you use domain local groups for security filtering?
Use global groups for GPO security filtering.
Click to expand...
I did. But nevertheless I have this problem. Meanwhile I found out that the
problem might lie in that the host does not really become a member of that
group:
In the AD I add the host "foo" to the group "GR test". But when I ran
GPResult on host "foo", the group "GR test" is not listed within the list of
groups, "foo" is a member of. But when I take a look at the DC again, I can
see that host "foo" _IS_ a member of group "GR test". I believe that this
could be the reason for the GPO (with the security settings to apply for
group "GR test") to not be applied.
But how come? What can I do?
 
T

Torsten Valentin

This has been solved meanwhile. The reason was, that the group had been
created by a VB script with getobject("LDAP://...") and that this group has
not been created properly. I took another function to create the group and
now it works.

T.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

local security policy does not get applied 2
GPO for user not applied 9
GPO not applying 1
removed authenticated users but no policy applied 1
Applying GPO to a workstation group using Loopback not working 2
GPO not being applied 1
GPO settings are not applied 2
New GPO are failing 4

Top