Security Filtering in Group Policy

[stnkmstrflx]

I am having an issue when using Security Filtering in
group policy that is pertaining to computer accounts in a
security group. My current situation is as follows:

-Created a GPO for rolling out SUS configs
-Created a security global group called Hotfix and gave
this group Read and Apply group policy rights to the GPO
-Removed the Authenticated Users group from the DACL on
the GPO
-Added the computer objects that I wanted to apply the
SUS configs to, into the Hotfix security group
-Linked this GPO to the OU that contained the server
computer objects that I want to roll out his fix to
AD Setup:
-Domain is in mixed mode.
-We have prepped the forest with the 2k3 schema mods.
-We have a mix of Win2k3 and Win2k domain controllers
The problem is that under this setup, the computer
objects aren't recieving the updates that I configured in
the GPO. When I use RSoP to view the GPO processing on
one of these boxes, the Hotfix GPO is showing up as a
Denied (Security Filtering). Now, this is strange to me
because I'm not explicitly denying rights to ANY object
on this GPO. And to make it more interesting, if I do
away with the security group, and just add a single
computer object to the DACL (giving the object Read and
Apply group policy rights), then it works fine. I guess
my question is:
-Has anyone seen a problem with computer objects in
security groups, and assigning permissions to a group?
I've done this before in 2000 with rolling out service
packs and it worked fine there. Any suggestions would be
greatly appreciated!

 

[Cary Shultz [A.D. MVP]]

I might suggest that you also post this to the Softwareupdatesvcs News Group
as someone in there might be able to help as well.

It sounds like you have the GPO set up *mostly* properly from a technical
point of view. However, one thing that I have noticed that you did not
mention was that you created an Organizational Unit and placed all of the
computer account objects in that OU and then created / linked the GPO to
that OU. The fact that you are using a Security Group to filter to which
computer accounts this GPO is applied might lead me to think that the
computer accounts are located elsewhere - like in the default 'Computers'
container.

You have to link the GPO to an OU and that OU has to contain the objects (
either user account objects or computer account objects ) to which you want
that particular GPO to apply. The time that you would use a security group
to filter the GPO is when you have all of your users or computers in one OU
and you can not / do not want to change the OU structure ( say, maybe,
because you have several other GPOs linked to that OU and to restructure
things would really mess things up / cause a lot of extra work ) that you
currently have. In this case, you simply remove the Authenticated Users
from the GPO and replace it with a home-grown Security Group.

Is this what you have done?

HTH,

Cary

 

[Guest]

I must have not been accurate in my description, but yes,
the computer objects are in the same OU that I am linking
the GPO to. Like I said, if I take the group away and
just add the computer object to the DACL, it works fine.
I'm thinking that it may be a problem with adding
computer objects to security groups in a mixed mode
domain...any other suggestions? Thanks!

 

[Cary Shultz [A.D. MVP]]

No, you were clear. I just overlooked it. Sorry.

There should be no problem doing this. The fact that the domain is in mixed
mode should not have any bearing on this. Mixed Mode or Native Mode simply
determine if you can have functioning WINNT 4.0 BDCs in your environment (
and a few other things - like group nesting and Universal Security Group ).

I am assuming that the security group Hotfixes is a global security group,
correct?

And the thing that I overlooked is that you are applying this to servers.
The are member servers, correct?

HTH,

Cary

 

[Guest]

Correct on both accounts....

-----Original Message-----
No, you were clear. I just overlooked it. Sorry.

There should be no problem doing this. The fact that the domain is in mixed
mode should not have any bearing on this. Mixed Mode or Native Mode simply
determine if you can have functioning WINNT 4.0 BDCs in your environment (
and a few other things - like group nesting and Universal Security Group ).

I am assuming that the security group Hotfixes is a global security group,
correct?

And the thing that I overlooked is that you are applying this to servers.
The are member servers, correct?

HTH,

Cary




.

 

[Cary Shultz [A.D. MVP]]

Have you tried placing the security group in the OU where the computer
accounts are located. I would really not think that this would solve
anything - in this case - but let's try this.

Also, is it imperative that you use the filter? Are there other server
objects in this OU to which you do not want this GPO to apply? If the
answer is 'no', then maybe consider bringing back the 'Authenticated Users'
security group and see if that works.

I am going to post over to the softwareupdatesvcs NG to see if we are
overlooking anything obvious. I have not yet made use of SUS....but we are
going to start using it in July for several clients.

HTH,

Cary

 

[Guest]

I have tried it with the security group in the same OU
that the GPO is linked to; same problem. As far as
putting Authenticated Users back, that does work, but I
want to use security filtering. I know I could place them
in a separate OU to deploy the updates, because that is
in fact what I am doing as a work around. However, I've
done this type of security filtering before to deploy
service packs in my previous job and I had no problems.
Let me know if you find anything. Thanks again for your
efforts...

 

[Cary Shultz [A.D. MVP]]

That would be your choice. If you are putting only member servers in this
OU and nothing else and you want all of the member servers to receive the
GPO then I might go with Authenticated Users.

However, I understand your point that if something should be available and
you want to use it then you should be able to use it. So far no one has
replied to my post in Softwareupdatesvcs.

Cary

 

[Guest]

Well thanks for trying. I appreciate the help. And if I
figure it out, I'll post the resolution. Thanks again!