RE: Applying Group Policies to selective OUs...

["Roger A. Grimes" <roger () banneretcs com>]

GPO's can only apply to OUs, and the users and computers they contain;
but GPO permissions can be given to users, computers, and security
groups. 

Three things must be true for a GPO to apply to a user or computer:
1. GPO must "hit" (i.e. apply) to user or computer...either by being
directly linked to an OU that the user or computer is in, or by being in
an OU that inherits the GPO.
2. User or computer account (or a security group) they are members of
must have the Read and Apply Group Policy GPO permissions on the GPO
being applied.
3. Appropriate settings in GPO (computer configuration or user
configuration settings) must be applied to the correct associated object
(computer account OR user account).

By default, all users have the Read and Apply GPO permissions, so only
#1 and #3 have to be ensured usually. You can replace Authenticated
Users with any security group with #2, and it does work as stated unless
something else is going on.

-----Original Message-----
From: Raoul Armfield [mailto:armfield () amnh org] 
Sent: Thursday, December 29, 2005 2:05 PM
To: Jim Gaudet
Cc: security-basics () securityfocus com
Subject: Re: Applying Group Policies to selective OUs...

Jim Gaudet wrote:
> The user object, or computer object have to live in the OU. I found it

> easier to just create a security group, instead of an OU. Then put the

> members in the group, either user of computer. Then on the GPO, remove

> the Authenticated Users group, and replace with the security group you

> just created.
>
> Now the GPO will only be applied to this group.

That is funny, having tested this I found that this does not work.  You
can not apply GPO to security groups or even if you could it becomes an
administrative nightmare.  The whole point of OUs is to divide your
organization into Organizational Units that you can apply policies to. 
What if someone needs to be part of an security group but does not need
to have a certain policy applied to them or vice versa?


Raoul



--
Raoul Armfield
rarmfield at amnh dot org

------------------------------------------------------------------------
---
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich
University program offers unparalleled Infosec management education and
the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity
Planning, Computer Emergency Response Teams, and Digital Investigations.


http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------