Recommended GPO Access Control List

[kev147]

I hope someone can help me on this as logically I think I am correct, but would prefer to have a 2nd opinion before I recommend this to the directors.

I am currently designing a Group Policy solution for my company in a tst environment that will meet an agreed list of objectives.

Within the test environment the OU structure is as follows(apologies for the cr@p formatting):

-------------------------------------------------------------------------------------
Domain Level---1st Level (Directorate)---2nd Level (Object Type)

Test.Local-----------CCS---------------------------Users
-------------------------------------------------------Computers
------------------------CE----------------------------Users
-------------------------------------------------------Computers
------------------------CS----------------------------Users
-------------------------------------------------------Computers
------------------------ED----------------------------Users
-------------------------------------------------------Computers
------------------------SS----------------------------Users
-------------------------------------------------------Computers
-------------------------------------------------------------------------------------

I plan to recommend putting all the computer objects into their relevant Computers OU (depending on directorate, am going to do this via an ADSI script. If anyone wants this please ask)

I plan to recommend putting all the user objects into their relevant Users OU (depending on directorate.)

I then plan to have a GPO for the following and to link them at the 1st level (Directorate):

• Computer - Windows Firewall - Domain Profile
  Computer - Windows Firewall - Standard Profile
  Computer - Windows Components
  Computer - System
  Security
  User - Windows Components
  User - Start Menu and Taskbar
  User - Desktop
  User - Control Panel
  User - System

Now I know that when you create a GPO, it automatically adds authenticated users into the scope. My query is if the GPO only contains Computer Settings, then would it be better to have Domain Computers instead of Authenticated Users in the scope of the GPO?

and if the GPO only contains User Settings, then would it be better to have Domain Users instead of Authenticated Users in the scope of the GPO?

I am not sure of best practices on the above, 2nd opinion/feedback greatly appreciated. I am under the understanding that Domain Computers and Domain Users are both within Authenticated Users.

Many Thanks

Kevin

You ask: "My query is if the GPO only contains Computer Settings, then would it be better to have Domain Computers instead of Authenticated Users in the scope of the GPO?"

Go with Authenticated Users. There's nothing you're doing but _potentially_ causing headaches if you don't. And, there's NO reason to change.

If you had a group called C-LEVEL-COMPUTERS and wanted JUST THOSE to get a GPO, then, yes, ditch AU and put in that group.

But otherwise.. don't change, IMHO.

[AdamV]

/concur

You are right that a computer with a valid domain account is an authenticated user by definition.

You should disable user settings in computer-only policies, and vice-versa. This speeds up processing (maybe not a major headache for a simple implementation, but more important as complexity grows) but also makes some troubleshooting simpler - it is blindingly obvious a policy is not affecting user if it has these settings disabled, rather than having to chekc to see that there are no user settings set.

It also means if somebody changes the user or computer settings in the wrong policies, the chances are good this will have no effect so they don't screw too many things up.

Note: I am not saying you must never have policies with settings for both user and computer (although some claim this separation is always good practice), all I am saying is that when your policies only cover one type by design, make this is absolutely clear and reliable as possible by disabling the other half.