Getting Started on GPanswers.com
Greetings - my issues is more general but it does have to do with my term server. SCOPE: My term server is a win2k3box, the domain controller is win2k8. We have strict rules on not to create anyold OU on the fly. SO I decided I will utilize gpo filtering. Our OU's are basically (from top down) Sitename then Computers, Users, Group then Servers. The termainal server resides in the "server" ou. I have the term server in a group called "TERM SERVER" I created a policy theat essentially hides the C drive, removes the shutdown button, etc tec a basic lock down. I link the policy to the Servers OU. In the scope section I added the "TERM SERVER" group and authenticated users to the security filtering. The policy works great on the term server and seems to apply correctly. THe problem I am having is that it applies to ALL member servers in that OU. If I remove the authenticated users from the security filtering then the policy does not apply. But if I have that group as filtered why does it apply to all servers? Cause I have it linked to that Servers OU? Aagain I thought the filtering would take care of that. Sorry for the long messgae but I had to explain it
Please advise on what I maybe doing wrong. I really would hate to create a special OU for that. I even tried creating a DENY Server Policy group and added the members servers in that ou to that group but still it applies (yes I selected deny read and deny apply.
100+ Helpful Posts!
50+ Helpful Posts
Late reply,
If you are going to remove Authenticated Users, you have to add in the machine names (if you want to restrict servers in a certain OU) or SYSTEM if you want it to apply to all servers in an OU as well as adding the User groups you want to have the GP applied to.
Pax
100+ Helpful Posts!
50+ Helpful Posts
My late late reply:
Always best to put TS / Citrix servers in their own OU, probably under a general servers OU. It's not exactly loads of work but does mean you can target policies at them very precisely and reliably, and they so often need something a little bit different from the norm.
Authenticated users includes authenticated computer accounts in the domain, that's why you were picking up the policy on the other servers while that was still in the security filter.
Not sure why your deny filter failed, though. There must be something more to that one.
100+ Helpful Posts!
50+ Helpful Posts
Deny overrules the allow list, so if an object (user or computer) is member of both groups the deny will overrule. This would mean that the policy would not be applied.
If you add only the computer group to the allow list, only the computer configuration will be processed, as the user configuration has no members.
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote