Confuse with GPMC Security Filter

Discussion in 'Active Directory' started by Guest, Mar 28, 2007.

  1. Guest

    Guest Guest

    Hi all,
    I have some questions on security filter. Here is my case:

    (<-- mean under this OU)
    2 OU:
    - [Citrix Users] <---hk_users
    - [Citrix Server] <--serverA

    1) I have linked a GPO to [Citrix Server] OU. As I know in Windows2000,
    under [Citrix Server], all object under this will be affected, right? But in
    WIndows2003, I must add the serverA into the security filter or else it will
    not apply to any object?
    2) I have also made some change to User configuration. I have added the
    hk_users into the security. The policy can be applied when hk_users login.
    But....what I expect is the policy will NOT apply since hk_users is NOT
    under [Citrix Server] OU. Some concept I may not clear. WOuld you please
    give me some guide on it.

    In order to make all my setting apply correclty. I need to add ServerA and
    hk_users into security filter, then all Computer configuration and User
    configuration can be applied. I really feel mass on the secuity filter. Tks!
    Guest, Mar 28, 2007
    1. Advertisements

  2. Guest

    Guest Guest

    I have found something from the net:

    ¡E Granting Read and AGP is not sufficient to ensure that the GPO is
    processed for a user or computer. The GPO also has to be linked to a site,
    domain or organizational unit containing the user or computer, directly or
    through inheritance.

    ¡E A GPO with security filtering set to Read and AGP doesn't
    necessarily apply to all security principals that have security filtering.
    It only applies to them if those user or computer objects are in the
    container or child container that is linked to the GPO.

    THat mean, the Policy will take effect unless the hk_users must be
    under the [Citrix Server] OU. But in my test, hk_users is not under [Citrix
    Server] OU. And, it will only take affect if both ServerA and hk_users is
    inside the security filter, draw out my question again:

    1) Assume hk_users is in the OU, Why the Policy will not apply to
    hk_users if hk_users is missing in security filter?

    2) Assume hk_users is outside the OU, why the Policy will apply if
    hk_users is in the security filter?

    Sorry for my foolish question!
    Guest, Mar 28, 2007
    1. Advertisements

  3. Guest

    Tariq Ziad Guest

    Group Policy Object is applied on all container objects where it is linked to.
    Then it is filtered using the Security filteration, and WMI filteration
    (Windows 2003)

    Note 1: Why user or computer could be included in the OU, but not applied
    until added in the security filter?
    Answer: Make sure in the security filteration, you didn't remove the
    "authenticated users" security group with read and apply policy permissions
    if you want it to apply on all users or computers included in the container
    where GPO is linked.

    Note 2: Why GPO will apply on User or computer although it is not part of
    the container where the GPO is applied?
    ANswer: An important point ot take care of is that GPO could be linked to
    certain OU, but same time applied on Domain. If user or computer (which you
    want ot exclude) is not included in OU , then don't forget that the same GPO
    applied on the Domain level is applied for that user or computer.

    Finally, user RSoP to find our what policies are applied on certain user or
    computer. You will get full details of which GPO is applied and from where it
    is taking place.
    Tariq Ziad
    MCSE, MCSA, B. SC. Comp. Eng.

    Tariq Ziad, Mar 28, 2007
  4. Guest

    Tariq Ziad Guest

    By the way, I think hk_users is a security group. Am I right??
    What about the users accounts, in which contaoner they are located.

    You should but note that the container objects that would be affected by the
    GPO linked to that container is the user account it self and the computer
    account, not a security group of users, not a security group of computers.
    WHile, in the security filteration, you could use the user account, computer
    account, security group of users, or security group of computers. usually
    filteration is done using these last two.

    Tariq Ziad
    MCSE, MCSA, B. SC. Comp. Eng.

    Tariq Ziad, Mar 28, 2007
  5. Guest

    Guest Guest

    Thanks for your reply.
    Yes. This is a security group contain 10 user accounts. The user account is
    located in another OU called <citrix user>

    Guest, Mar 29, 2007
  6. Guest

    Guest Guest

    Thanks for your explaination. I am very clear on Note 1 Now. Tks!!!

    But on Note2. I am sure the GPO is only linked to this OU becuase this group
    policy is just for testing and will not apply to any production OU. So... I
    really don't know what does it happen~~

    Guest, Mar 29, 2007
  7. Guest

    Tariq Ziad Guest

    SO, is it clear why even when you have the hk_users security group outside
    the <citrix users> OU, the GPO will be applied if hk_users is added to the
    security filter (with Read and apply group policy permissions)??

    Hope no more confusion is there...
    Tariq Ziad
    MCSE, MCSA, B. SC. Comp. Eng.

    Tariq Ziad, Mar 29, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.