Security Groups in OUs

M

matt

What type of objects do Group Policies get applied to in OUs? Is it just
user and computer accounts, or do the members of a security group located in
the OU also receive the OU's Group Policies (granted they have access
permission to the Group Policy Object)?

Emperically, I've found that the answer to my question is members of
security groups in the OU do not get the Group Policy, but I have not found
this documented.

Thanks in advance for any insight.

Matt
 
D

Darren Mar-Elia

Matt-
Only user and computer objects process GPOs. However, you can filter which
user and computer objects within a scope of management process a GPO using
security groups. Does that make sense?
 
C

Cary Shultz [A.D. MVP]

Good morning, Darren! Good morning, Matt!

Darren, I am going to jump in for a second. Hope that you do not mind. You
are definitely the 'gpoguy' ;-)

Matt,

What Darren is saying is that only the user account objects and the computer
account objects that are located in an OU to which the GPO is linked will be
affected. What Darren means by filtering via group membership is that, by
default, the 'Authenticated Users' security group is granted the READ and
APPLY GROUP POLICY rights to the GPO. This means, simplified, that any user
account or computer account located in this particular OU that authenticates
is going to be able to both read and apply the Group Policies linked to that
OU. You can change this, however.

Let's say that you have an OU in which there are 55 user account objects.
Let's just say that we are going to disable the Display Tab in the Control
Panel ( this seems to be a popular example, so let's just go with it ).
But - and this is the big part - the CEO and her three Assitants are in
this OU -AND- they absolutely must be able to access the Display Tab ( the
CEO normally likes to use 800x600 but gets really annoyed when she is
looking at Excel spreadsheets as 800x600 is too small - so she changes it to
1024x768 ). If you apply this GPO and they are affected she will blow her
top and you could be hitting the pavement really soon! So, what are you
going to do?

Easy! If one does not already exist, create a security group that includes
all of the user account objects that are located in this OU -MINUS the CEO
and her three Assistants - and add this group to the Security tab on the
'Hide Display' GPO. You would also have to remove the Authenticated Users
group. Do not forget to give the group that you created both the READ and
APPLY GROUP POLICY rights!

Now, if you did not want to create a group with 51 members - creating one
with only four members is probably a bit faster, not to mention in this
situation it probably already exists! - then you could use the security
group that has the CEO and her three Assistants as members and simply add
that group to the Security tab of the GPO ( and you would not remove the
Authenticated Users in this case ) and give this group an explicit DENY
either to READ or to APPLY GROUP POLICY - or both!

I hope that this clarifies things even more for you.

Cary
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

GPO Processing Order and OUs 15
Security Filtering for specific "Links" instead of "GPO" 2
Loopback Processing with Security Groups (No separate OU) 1
OU's not receiving GP 1
Best location for policies 3
User has to be in OU for policy to apply 2
Retricted Group on desktops 2
Policy not applied to group of users in OU 1

Top