Group Policy (Inheritance/Filtering)

[Guest]

I will try and explain this the best I can. We have a new server GPO that we
would like to apply to our organization. Our OU structure is broken down by
region, and each region has their own SERVER OU. We have placed the GPO lets
say in SERVER OU 1, we have applied the GPO to Authenticated Users in SERVER
OU 1. I would like to beging linking this GPO to Server OU 2,3 and so on,
but only want it to apply to a particular group within each Server OU 2,3, is
that possible now that I have already added authenticated users to the
filtering? Or do I have to use groups for all and eliminate authenticated
users until the very end once all regions have tested the GPO, than apply
authenticated users back in and remove the groups? The reason we are using
the groups is becuase we want a phased approach with rolling out the GPO, but
once an OU and all its servers have it applied, want to apply it to that
Server OU from now on, not having to apply it anymore to the group, thats the
reason I added authenicated users in server ou 1. Sorry if this is totally
confusing you.

 

[Herb Martin]

I will try and explain this the best I can. We have a new server GPO that we
would like to apply to our organization. Our OU structure is broken down by
region, and each region has their own SERVER OU. We have placed the GPO lets
say in SERVER OU 1, we have applied the GPO to Authenticated Users in SERVER
OU 1.

You have the terminology skewed so it isn't completely clear
what yo mean to say you have done.

One LINKS the GPO to an OU.

One FILTERS a GPO by using Permissions on Group (like Auth.Users)
Filtering is NOT a common practice, or at least probably shouldn't be.

The GPO is APPLIED by the OS when the Computer or User logons
onto the Domain and meets the criteria that allows that application
(i.e., Link and given permission)

I would like to beging linking this GPO to Server OU 2,3 and so on,
but only want it to apply to a particular group within each Server OU 2,3, is
that possible now that I have already added authenticated users to the
filtering?

I believe you will have to COPY the GPO (and re-copy it if you ever
change it) since the PERMISSIONS used for filtering are on the GPO
object itself they can only be set to ONE permission list even if you
LINK the GPO to different containers (e.g., OUs.)

Or do I have to use groups for all and eliminate authenticated
users until the very end once all regions have tested the GPO, than apply
authenticated users back in and remove the groups?

The above paragraph is unclear.

The reason we are using
the groups is becuase we want a phased approach with rolling out the GPO, but
once an OU and all its servers have it applied, want to apply it to that
Server OU from now on, not having to apply it anymore to the group, thats the
reason I added authenicated users in server ou 1. Sorry if this is totally
confusing you.

Since anyone "getting" the GPO must be authenticated, the use
of this Group for filtering seems a lot of trouble for nothing --
the default permission use that or Everyone by default.

Generally, when you must use Permission filtering you should
consider if you OU design is flawed.

This will not always be the case, and sometimes such flaws are
either unavoidable or more trouble to correct than to just use
the filtering approach, but usually it's a warning sign at the least.

If you use filtering, you should have a VERY CLEAR understanding
of:

1) How you got yourself into that requirement
2) What the alternatives are

If after reviewing both of those you can make the case for filtering
then it is likely (at least) a decent solution.