GPO Security Filtering

phoneguy · 2014-06-12T11:22:54.000Z

I’ve created a GPO and linked it to an OU.The GPO is supposed to put a shortcut on the user’s desktop. It won’t work unless I add the user name in the Security Filtering section in GPMC. I can’t add an OU, but must add individual names. This seems counter productive to have to do this. I must be doing something wrong.

Thanks for any input.

craigduff · 2014-06-12T11:25:20.000Z

Authenticated Users, the default security filtering, should work. If it works when you put their name in the security filtering, then that means that it is scoped correctly. Did you not try it with Authenticated Users?

phoneguy · 2014-06-12T11:27:05.000Z

That works! Thanks Ccraddock. Is that the proper way to do GPO’s? The security filtering section must have something in it?

Rob-Dunn · 2014-06-12T11:27:16.000Z

Why aren’t you doing this via Group Policy Preferences and Item Level Targeting?

craigduff · 2014-06-12T11:30:15.000Z

You scope by linking to different OUs and filter with the security filtering. If no one is in the security filtering, then no one gets it. That is why Authenticated Users is the default.

phoneguy · 2014-06-12T12:09:06.000Z

So, you create OU’s to specify a group to apply the GPO to. But then you have to also use Security Filtering to also specify where to make this thing work? Seems redundant.

Rob-Dunn · 2014-06-12T12:12:55.000Z

Phoneguy.Jim:

So, you create OU’s to specify a group to apply the GPO to. But then you have to also use Security Filtering to also specify where to make this thing work? Seems redundant.

You shouldn’t have to if you’re only applying to a single OU. If you apply to multiple OU’s this becomes necessary.

But, this is where Group Policy Preferences and Item Level Targeting would really help you. Set your targeting to apply to users in a certain OU, a security group, only on workstations with an IP address you specify, etc. Seriously, the way you are doing it is pretty outmoded these days (at least with creating a shortcut)…not to take away from what Craig has been helping you with (his solution works!), but you should DEFINITELY know or learn about GPP as a Windows Admin.

SlideShare

Group policy preferences

Group policy preferences - Download as a PDF or view online for free

craigduff · 2014-06-12T12:33:00.000Z

Phoneguy.Jim:

So, you create OU’s to specify a group to apply the GPO to. But then you have to also use Security Filtering to also specify where to make this thing work? Seems redundant.

When you are talking about something like a shortcut, maybe. And, preferences and item level targeting is a very good thing for stuff like that, like Rob said. But when are talking about other stuff, it becomes more clear. Keep in mind, by default, Authenticated Users is already specified, so you don’t have to do anything redundant by default. You only use security filtering when you need to. Take for example.

My computer objects are in two OUs, Desktops and Laptops, they are under an OU called Clients. I have things like Power Options that tell the laptops what to do when the lid is closed that apply to all laptops. I have things like Adobe Reader polices applied to all Devices. This is all great using just OUs. But what happens when I want to install a specialty piece of software on say just four computers. I can link it to Clients, but I might have 50, 100, 1000 clients. In this case, I need to use security filtering to limit that software GPO to apply only to those four computers. Imagine how convoluted the OU structure would get if I had to create a separate child OU for each special contingency. And, since a computer/user can only be in one OU, it would be impossible for a computer/user to have two special GPOs applied if one only used OUs, and there wasn’t security filtering.

To take it further, say you didn’t want to maintain a Desktops and Laptops OU, but just wanted a Clients OU. You could do that, and use security filtering to target the laptop power polices just to the laptops. Since there are only two classes, I decided to use OUs. But, that is a stylistic choice.

ccraddock · 2014-06-12T12:39:56.000Z

Phoneguy.Jim:

That works! Thanks Ccraddock. Is that the proper way to do GPO’s? The security filtering section must have something in it?

Security filtering must have something it it. By default its authenticated users.

You could create a security group if you only want it to apply to that group of users inside that OU and put it in security filtering.

ccraddock · 2014-06-12T12:40:29.000Z

You can also do as the above say and use item level targeting but you still need to have something in Security Filtering.

phoneguy · 2014-06-12T13:13:09.000Z

Great answers, everyone! I’ve learned so much this morning. Nice info in Rob’s link. And a good explanation cduff. I’ll look into item level targeting more.

I thought I had already marked a best answer earlier, but now I don’t see Ccraddock’s responses from earlier. ???

Btw, somehow my default security filtering of Authenticated Users wasn’t there. Once I added it back, it works well.

ccraddock · 2014-06-12T13:14:01.000Z

I went to edit it and accidentally deleted the post.