1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Basic Active Directory question

Discussion in 'Servers and Enterprise Solutions' started by Guest2, 2 Oct 2009.

  1. Guest2

    Capodecina

    Joined: 6 May 2009

    Posts: 16,183

    I have been using active directory and group policy for about 3 months now but still do not know the answer to a basic question. I have not needed to know but just thought id ask now.

    In Active directory there is a section called 'groups' within this you have other groups. e.g. password policy. Within this group there are members who use the password policy and the group is then assigned to 'member of' under the user properties.

    How then is the password policy group linked to the password policy settings?
    (Same goes for all the other groups)


    Cheers
     
  2. Knubje

    Soldato

    Joined: 5 Jun 2008

    Posts: 6,238

    Location: Portsmouth/Fareham

    It should be linked through the actual GPO itself. If you goto Admin tools on the server and goto Group Policy Management.

    The users, groups, computers the policy affects (Security filtering) and therefore who it applies too (Say screen auto lockout after 6 minutes) is here. The control part of the GPO comes over the in the Delegation tab I believe, all users/computers/groups that can read/modify the policy.

    Sounds about right, I'm not that knowledgable having only done this for around a year now but doing an MCITP has certainly helped :)
     
    Last edited: 2 Oct 2009
  3. Nanobot

    Hitman

    Joined: 18 Sep 2008

    Posts: 960

    Its been a while but I'm sure account related policies only take effect at domain level and not at group level...
     
  4. Guest2

    Capodecina

    Joined: 6 May 2009

    Posts: 16,183

    What do you mean? We have the account settings set in the default domain policy

    Knubje - So the groups are all like place holders for each object in group policy? Brain has shutdown for the weekend now but will be back on it on monday :)
     
  5. Nanobot

    Hitman

    Joined: 18 Sep 2008

    Posts: 960

    It was the case in Windows 2003 according to MS. You need to be extra careful so you dont end up locking accounts if you're testing. Try it in a test environment or virtual domain setup...
     
  6. Guest2

    Capodecina

    Joined: 6 May 2009

    Posts: 16,183

    Still finding it hard to work out where groups get the settings from in AD

    We have a group called 'Drive Restriction Exceptions' it has around 5 members of our company. This restricts local media drives like USB sticks and cds/dvds. Where in this security group does it look for settings to restrict the drives?

    Edit - Think i know now.
    In group policy we have a policy for Windows Explorer. If you open the settings for this there is extra registry settings that have been applied (through sysvol \ policies (the windows explorer policy) \ ADM \ system.adm then adding a few custom lines to this with notepad)
    If i click in the delegation policy i can see 'Drive Restriction Exceptions' has been denied the policy. Therefore it is just a 'placeholder' in active directory, group policy dishes out all the settings.

    So yes, Knubje was correct, but i only learn by clicking around usually :)
     
  7. Ev0

    Capodecina

    Joined: 18 Oct 2002

    Posts: 13,876

    I might be totally missing the point, but the group is just listed in the security filtering for the gpo no?

    So thus the gpo will only apply to accounts, or groups, that are in the security filtering tab?
     
  8. Guest2

    Capodecina

    Joined: 6 May 2009

    Posts: 16,183

    That would all depend on how you have you security filtering setup. We just have all 'domain users' in the security filtering so it covers everyone who is part of the domain users group.

    Then in delegation, deny access to who you do not want to give it to. We just have one policy using one computer in the security filtering. (and the test user)

    If you did it your way, it would mean adding a lot of unneeded stuff to security filtering
     
  9. Sin_Chase

    Capodecina

    Joined: 13 Jan 2004

    Posts: 20,555

    Domain Level
    -OU Level (Domain Guests)
    --Groups (Guest Account Group)
    --Guest Accounts

    Create and Link a Group Policy to redirected Start Menu for Guest Accounts on the OU. Filter the Group Policy Application to the Security Group. Job done.

    Domain level
    -OU Level (Terminal Servers)
    --Computer Objects (TSes themselves)
    -- Group (TS Users)

    Create and Link GP on the TS OU to remove Shut Down. Filter it to TS User.

    No need to do Denys, users can be part of multiple groups.

    Download and install the GPMC (Group Policy Management Tool) Makes things like this much easier.
     
    Last edited: 6 Oct 2009
  10. Ev0

    Capodecina

    Joined: 18 Oct 2002

    Posts: 13,876

    Wouldn't say it added a lot of unneeded stuff, you just remove domain users and add in the groups/individuals you want the gpo to apply to.

    For instance I have a gpo applied to our main users OU that turns off the software restriction policy. Then in security filtering it is set with just my global group that I can add users to so they get the bypass if required.

    Your way would mean I apply the policy to everyone then specify the people I don't want to have it? Not so good imho, least priviliged/default deny and all that, risk of giving someone something they shouldn't is higher.

    Just a diff way of doing it I guess, exactly as Sin Chase says above. How I've always done it for many years now.

    GPO is linked to OU
    Group is linked to GPO via security filtering/your other way which I've never used :)

    As you worked out, the groups themselves do not hold any settings, they merely tell the system who the policy that contains the settings applies to.

    And I'm assuming this is all being done with gpmc :)
     
    Last edited: 7 Oct 2009