S
stnkmstrflx
I am having an issue when using Security Filtering in
group policy that is pertaining to computer accounts in a
security group. My current situation is as follows:
-Created a GPO for rolling out SUS configs
-Created a security global group called Hotfix and gave
this group Read and Apply group policy rights to the GPO
-Removed the Authenticated Users group from the DACL on
the GPO
-Added the computer objects that I wanted to apply the
SUS configs to, into the Hotfix security group
-Linked this GPO to the OU that contained the server
computer objects that I want to roll out his fix to
AD Setup:
-Domain is in mixed mode.
-We have prepped the forest with the 2k3 schema mods.
-We have a mix of Win2k3 and Win2k domain controllers
The problem is that under this setup, the computer
objects aren't recieving the updates that I configured in
the GPO. When I use RSoP to view the GPO processing on
one of these boxes, the Hotfix GPO is showing up as a
Denied (Security Filtering). Now, this is strange to me
because I'm not explicitly denying rights to ANY object
on this GPO. And to make it more interesting, if I do
away with the security group, and just add a single
computer object to the DACL (giving the object Read and
Apply group policy rights), then it works fine. I guess
my question is:
-Has anyone seen a problem with computer objects in
security groups, and assigning permissions to a group?
I've done this before in 2000 with rolling out service
packs and it worked fine there. Any suggestions would be
greatly appreciated!
group policy that is pertaining to computer accounts in a
security group. My current situation is as follows:
-Created a GPO for rolling out SUS configs
-Created a security global group called Hotfix and gave
this group Read and Apply group policy rights to the GPO
-Removed the Authenticated Users group from the DACL on
the GPO
-Added the computer objects that I wanted to apply the
SUS configs to, into the Hotfix security group
-Linked this GPO to the OU that contained the server
computer objects that I want to roll out his fix to
AD Setup:
-Domain is in mixed mode.
-We have prepped the forest with the 2k3 schema mods.
-We have a mix of Win2k3 and Win2k domain controllers
The problem is that under this setup, the computer
objects aren't recieving the updates that I configured in
the GPO. When I use RSoP to view the GPO processing on
one of these boxes, the Hotfix GPO is showing up as a
Denied (Security Filtering). Now, this is strange to me
because I'm not explicitly denying rights to ANY object
on this GPO. And to make it more interesting, if I do
away with the security group, and just add a single
computer object to the DACL (giving the object Read and
Apply group policy rights), then it works fine. I guess
my question is:
-Has anyone seen a problem with computer objects in
security groups, and assigning permissions to a group?
I've done this before in 2000 with rolling out service
packs and it worked fine there. Any suggestions would be
greatly appreciated!