Or, How to apply a group policy on a Security Group in AD?
Or, What is group policy security filtering in Active Directory?
Descriptions:
In real world, this is very genuine requirement when someone
in your company can ask you to apply a Desktop Wallpaper or some other controls
on some specific users or computers. You know it well that you can apply group
policy on Users or Computers based on OU in which they are. Means, your group
policy became very specific to OU or OU oriented.
You can’t move any user or computer to any other OU as their
existing Group Policies may go away or will be messed and may cause lots of
issues.
But there is some way to achieve the above stated
requirement:
1. Group Policy Security Filtering
2. Group Policy Loopback Processing
There are some technical concepts and understandings that
you should understand well before playing with these features else you may make
blunders instead of doing things right.
Here in this article, I will explain about first option
“Group Policy Security Filtering”. We will discuss about GPO Loopback
processing in next article.
Additionally, I will suggest not to go with Group Policy
Loopback Processing option if your requirement is being achieved by using Group
Policy Security Filtering.
What is Group Policy
Security Filter?
Group Policy Security Filter allows you to apply a group
policy on a specific user, computer or security group. E.g. If in case you have
applied a Group Policy on a OU which is having 10 users and you have added only
two users in security filter of the applied GPO, the settings defined under
specified GPO will be applied on only those two users which are added there in
security filter option.
Steps: How to apply
group policy on a Security Group in AD or on a specific user?
Select your group policy > Go to Scope option > Under Security
Filtering, click on Add button
> Select your Security Group and add here.
Now, go to Delegation
tab > make sure the security group you added in above step is appearing
here > Now Click on Advanced
Set the Authenticated
Users Permission Level for the specified Group Policy as shown in below
screenshot. Authenticated Users should be having Read only rights and must not be allowed to Apply group policy.
Select Authenticated Users > Enable Check Mark on Read
> Uncheck the option Apply Group
Policy > Click OK to save the
changes
Set the Security
Group Permission Level for the specified Group Policy as shown in below
screenshot. Your Security Group should be having Read and must be allowed to Apply
group policy.
Select Your Security Group > Enable Check Mark on Read
> Enable check mark on Apply
Group Policy > Click OK to
save the changes.
That’s all my friends. Now you can check your client
machines if they are having applicable GPOs applied on them. Run gpupdate /force on Server and Client
both to get the result quickly or try logging off.
Dear Sir,
ReplyDeleteThanks for sharing this knowledge.
Please write Articles on the topics of Block Inheritance & Enforced Exception.
Sure Emran, I will publish an article regarding this very soon. Stay tuned..
DeleteThanks