Basic Active Directory question

Soldato
Joined
6 May 2009
Posts
19,885
I have been using active directory and group policy for about 3 months now but still do not know the answer to a basic question. I have not needed to know but just thought id ask now.

In Active directory there is a section called 'groups' within this you have other groups. e.g. password policy. Within this group there are members who use the password policy and the group is then assigned to 'member of' under the user properties.

How then is the password policy group linked to the password policy settings?
(Same goes for all the other groups)


Cheers
 
Soldato
Joined
5 Jun 2008
Posts
6,240
Location
Portsmouth/Fareham
I have been using active directory and group policy for about 3 months now but still do not know the answer to a basic question. I have not needed to know but just thought id ask now.

In Active directory there is a section called 'groups' within this you have other groups. e.g. password policy. Within this group there are members who use the password policy and the group is then assigned to 'member of' under the user properties.

How then is the password policy group linked to the password policy settings?
(Same goes for all the other groups)


Cheers

It should be linked through the actual GPO itself. If you goto Admin tools on the server and goto Group Policy Management.

The users, groups, computers the policy affects (Security filtering) and therefore who it applies too (Say screen auto lockout after 6 minutes) is here. The control part of the GPO comes over the in the Delegation tab I believe, all users/computers/groups that can read/modify the policy.

Sounds about right, I'm not that knowledgable having only done this for around a year now but doing an MCITP has certainly helped :)
 
Last edited:
Soldato
OP
Joined
6 May 2009
Posts
19,885
Its been a while but I'm sure account related policies only take effect at domain level and not at group level...

What do you mean? We have the account settings set in the default domain policy

Knubje - So the groups are all like place holders for each object in group policy? Brain has shutdown for the weekend now but will be back on it on monday :)
 
Soldato
OP
Joined
6 May 2009
Posts
19,885
Still finding it hard to work out where groups get the settings from in AD

We have a group called 'Drive Restriction Exceptions' it has around 5 members of our company. This restricts local media drives like USB sticks and cds/dvds. Where in this security group does it look for settings to restrict the drives?

Edit - Think i know now.
In group policy we have a policy for Windows Explorer. If you open the settings for this there is extra registry settings that have been applied (through sysvol \ policies (the windows explorer policy) \ ADM \ system.adm then adding a few custom lines to this with notepad)
If i click in the delegation policy i can see 'Drive Restriction Exceptions' has been denied the policy. Therefore it is just a 'placeholder' in active directory, group policy dishes out all the settings.

So yes, Knubje was correct, but i only learn by clicking around usually :)
 

Ev0

Ev0

Soldato
Joined
18 Oct 2002
Posts
14,152
I might be totally missing the point, but the group is just listed in the security filtering for the gpo no?

So thus the gpo will only apply to accounts, or groups, that are in the security filtering tab?
 
Soldato
OP
Joined
6 May 2009
Posts
19,885
I might be totally missing the point, but the group is just listed in the security filtering for the gpo no?

So thus the gpo will only apply to accounts, or groups, that are in the security filtering tab?

That would all depend on how you have you security filtering setup. We just have all 'domain users' in the security filtering so it covers everyone who is part of the domain users group.

Then in delegation, deny access to who you do not want to give it to. We just have one policy using one computer in the security filtering. (and the test user)

If you did it your way, it would mean adding a lot of unneeded stuff to security filtering
 
Soldato
Joined
13 Jan 2004
Posts
20,929
Domain Level
-OU Level (Domain Guests)
--Groups (Guest Account Group)
--Guest Accounts

Create and Link a Group Policy to redirected Start Menu for Guest Accounts on the OU. Filter the Group Policy Application to the Security Group. Job done.

Domain level
-OU Level (Terminal Servers)
--Computer Objects (TSes themselves)
-- Group (TS Users)

Create and Link GP on the TS OU to remove Shut Down. Filter it to TS User.

No need to do Denys, users can be part of multiple groups.

Download and install the GPMC (Group Policy Management Tool) Makes things like this much easier.
 
Last edited:

Ev0

Ev0

Soldato
Joined
18 Oct 2002
Posts
14,152
If you did it your way, it would mean adding a lot of unneeded stuff to security filtering

Wouldn't say it added a lot of unneeded stuff, you just remove domain users and add in the groups/individuals you want the gpo to apply to.

For instance I have a gpo applied to our main users OU that turns off the software restriction policy. Then in security filtering it is set with just my global group that I can add users to so they get the bypass if required.

Your way would mean I apply the policy to everyone then specify the people I don't want to have it? Not so good imho, least priviliged/default deny and all that, risk of giving someone something they shouldn't is higher.

Just a diff way of doing it I guess, exactly as Sin Chase says above. How I've always done it for many years now.

How then is the password policy group linked to the password policy settings?

GPO is linked to OU
Group is linked to GPO via security filtering/your other way which I've never used :)

As you worked out, the groups themselves do not hold any settings, they merely tell the system who the policy that contains the settings applies to.

And I'm assuming this is all being done with gpmc :)
 
Last edited:
Back
Top Bottom