Wednesday, 21 September 2016

Applying Group policy specifically on selected security groups of users or computers in Active Directory.

Or, How to apply a group policy on a Security Group in AD?
Or, What is group policy security filtering in Active Directory? 

Descriptions:
In real world, this is very genuine requirement when someone in your company can ask you to apply a Desktop Wallpaper or some other controls on some specific users or computers. You know it well that you can apply group policy on Users or Computers based on OU in which they are. Means, your group policy became very specific to OU or OU oriented.

You can’t move any user or computer any other OU as their existing Group Policies may go away or will be messed and may cause lots of issues.

But there is some way to achieve the above stated requirement:
1. Group Policy Security Filtering
2. Group Policy Loopback Processing

There are some technical concepts and understandings that you should understand well before playing with these features else you may make blunders instead of doing things right.
Here in this article, I will explain about first option “Group Policy Security Filtering”. We will discuss about GPO Loopback processing in next article.

Additionally, I will suggest not to go with Group Policy Loopback Processing option if your requirement is being achieved by using Group Policy Security Filtering.

What is Group Policy Security Filter?
Group Policy Security Filter allows you to apply a group policy on a specific user, computer or security group. E.g. If in case you have applied a Group Policy on a OU which is having 10 users and you have added only two users in security filter of the applied GPO, the settings defined under specified GPO will be applied on only those two users which are added there in security filter option.

Steps: How to apply group policy on a Security Group in AD or on a specific user?

Select your group policy > Go to Scope option > Under Security Filtering, click on Add button > Select your Security Group and add here.



















Now, go to Delegation tab > make sure the security group you added in above step is appearing here > Now Click on Advanced





















Set the Authenticated Users Permission Level for the specified Group Policy as shown in below screenshot. Authenticated Users should be having Read only rights and must not be allowed to Apply group policy.

Select Authenticated Users > Enable Check Mark on Read > Uncheck the option Apply Group Policy > Click OK to save the changes




















Set the Security Group Permission Level for the specified Group Policy as shown in below screenshot. Your Security Group should be having Read and must be allowed to Apply group policy.

Select Your Security Group > Enable Check Mark on Read > Enable check mark on Apply Group Policy > Click OK to save the changes.



















That’s all my friends. Now you can check your client machines if they are having applicable GPOs applied on them. Run gpupdate /force on Server and Client both to get the result quickly or try logging off. 

2 comments:

  1. Dear Sir,

    Thanks for sharing this knowledge.
    Please write Articles on the topics of Block Inheritance & Enforced Exception.

    ReplyDelete
    Replies
    1. Sure Emran, I will publish an article regarding this very soon. Stay tuned..

      Thanks

      Delete