List Archives

This forum is an archive of all posts to our mailing list over the past few years. The forum is set read only therefore to contribute you will need to join our list community. See more info about this here.

When subscribed to the list you should use your standard email client to send your posts to ActiveDir@mail.activedir.org.

List Archives

Unanswered Active Topics

Forums Search

Forums >ActiveDir Mail List Archive >List Archives

Subject: [ActiveDir] Group policy stupid question

Prev Next

You are not authorized to post a reply.

Author

Messages

sbradcpa

Posts:496

09/21/2005 10:00 AM
Stupid question that showcases how I don't know enough about GP Is there a way to do a group policy group so that it's "Everyone" but "this group" And does Visio work the best for diagramming these structures out? -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

aricbernard User is Offline

Posts:4

09/21/2005 10:19 AM
Susan, You can restrict GPOs to certain groups by using either Deny or Allow permissions. So in your case you could deny a particular security group access to the GPO. If you leverage the GPMC you can use the delegation tab to explicitly deny a groups access to the GPO. As for diagramming, I depends on what you want to get out of the diagram. Visio is OK for some things while the GPMC can provide nice reports for others. Aric -----Original Message----- From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, September 21, 2005 2:58 PM To: ActiveDir@xxxxxxxxxxxxxxxxxx Subject: [ActiveDir] Group policy stupid question Stupid question that showcases how I don't know enough about GP Is there a way to do a group policy group so that it's "Everyone" but "this group" And does Visio work the best for diagramming these structures out? -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

TonyTest

Posts:0

09/21/2005 10:51 AM
Hi Susan Have a look at this reference for information on group filtering. http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/S erverHelp/c8d44e87-5bf4-41e5-aff3-9ca261267181.mspx Tony -----Original Message----- From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, 22 September 2005 9:58 a.m. To: ActiveDir@xxxxxxxxxxxxxxxxxx Subject: [ActiveDir] Group policy stupid question Stupid question that showcases how I don't know enough about GP Is there a way to do a group policy group so that it's "Everyone" but "this group" And does Visio work the best for diagramming these structures out? -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ######################################################################## #### This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i ######################################################################## #### List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

kevsully

Posts:0

09/22/2005 1:13 AM
Hi Susan, Not a stupid question. Especially when you are just starting out with Group Policy the filtering can be a bit tricky. So the default for filtering is Authenticated Users have Read and Apply Group Policy permissions. If you remove Authenticated Users from the list and only add the Group(s) that should receive the settings and exclude the group that should not. That will work. But your note mentions Everyone 'except' so it sounds like you want to leave Authenticated Users as is and simply add the 'filtered out' group to the filter list (you are using GPMC correct?) and set the permissions for that group to Deny the Apply Group Policy permission. If I am reading your message correctly this should work for you. Too many 'Denies' are usually not recommended. A few caveats for clarity (apologies if this is already known information). The Group Policy does not apply to the Group. It only applies to Users and Computers. The Group is simply used for filtering and delegation. So the Group Policy Object needs to be linked to containers that contain those users and computers that need to be configured. Regarding Visio, unless you have more complex needs here it is probably overkill. If you are doing many 'deny' ACEs on your GPOs it is a good idea to have some way to document those permissions so that you have a reference to go back to. Kevin Sullivan, MVP, MCSE Director of Product Management DesktopStandard Corporation Enterprise Desktop Management -----Original Message----- From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Wednesday, September 21, 2005 5:58 PM To: ActiveDir@xxxxxxxxxxxxxxxxxx Subject: [ActiveDir] Group policy stupid question Stupid question that showcases how I don't know enough about GP Is there a way to do a group policy group so that it's "Everyone" but "this group" And does Visio work the best for diagramming these structures out? -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

You are not authorized to post a reply.

Forums >ActiveDir Mail List Archive >List Archives > [ActiveDir] Group policy stupid question

ActiveForums 3.7

Syndicate

Friends

List Archives

List Archives

Friends

Members

Articles

Related Links

Ads