Share via

Group Policy Object Question

Anonymous
2024-09-27T21:10:26+00:00

Hello friends,

I'm new to the windows server GPO and I'm doing some testing on my lab (server 2022). and got following questions:

1- I want to scope only one user for testing therefore I created an OU and linked to the GPO and I added the "Authenticated Users" in the Delegation. However, the GPO does not apply until both the User and Computer are under same OU that's linked in the GPO. It should work either the User or Computer is under the OU, right ? Also, do I need to use the Security Filtering if the OU is filtering what I need ?

2- The GPO generates User and Computer certificates as expected when the same windows server certificate authority Root CA is used in the "Trusted Root Certificate Authorities" folder, but when I use another CA ROOT certificate (external), the GPO send the ROOT CA certificate to the windows machine, but it is not generate either a User or Computer certificate.

Thank you in advance :)

Windows for business Windows Server Directory services Deploy group policy objects

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-09-28T00:19:25+00:00

    Hello Jason-999,

    Thank you for posting in Microsoft Community forum.

    I want to scope only one user for testing therefore I created an OU and linked to the GPO and I added the "Authenticated Users" in the Delegation*. However, the GPO does not apply until both the User and Computer are under* same OU that's linked in the GPO. It should work either the User or Computer is under the OU, right?

    A1:

    If it is user configuration in this GPO, for "Security Filtering", you can set permission in Delegation as below.

    Make Authenticated users have only "Read" permission.

    Make user group have "Read" and "Apply group policy" permissions.

    If it is computer configuration in this GPO, for "Security Filtering", you can set permission in Delegation as below.

    Make Authenticated users have only "Read" permission.

    Make computer group have "Read" and "Apply group policy" permissions.

    Also, do I need to use the Security Filtering if the OU is filtering what I need?

    A2: For example, if OU has three user objects and you only want GPO user settings to apply to three of these users, you can create one group and put three user objects you want to this group and set Security Filtering as A1 above).

    Or for example, if OU has three computer objects and you only want GPO machine settings to apply to two of these computers, you can create one group and put two computer objects you want to this group and set Security Filtering as A1 above.

    The GPO generates User and Computer certificates as expected when the same windows server certificate authority Root CA is used in the "Trusted Root Certificate Authorities" folder, but when I use another CA ROOT certificate (external), the GPO send the ROOT CA certificate to the windows machine, but it is not generate either a User or Computer certificate.

    A3: For internal Root CA, it should have already set up automatic certificate enrollment autoenroll for users and computers, see link below. Otherwise, it will not automatically generate any certificates.

    www.vkernel.ro

    For external root CA, you should request certificates (user certificates and/or computer certificates) from external root CA and copy it/them to your machines and install them.

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    0 comments
  2. Anonymous
    2024-09-28T22:04:02+00:00

    Hello @Daisy Zhou123

    Thank you very much for your time to respond to my questions.

    What is the process for generating certificates for all domain users from the external ROOT CA ? is that by SCCM or another tools ? Any ideas or links for best practice, that will be great.

    0 comments
  3. Anonymous
    2024-09-30T07:23:18+00:00

    Hello

    Good day!

    What do you mean "the external ROOT CA"?
    Do you mean it is a non-Windows CA server?

    Best Regards,
    Daisy Zhou

    0 comments
  4. Anonymous
    2024-09-30T15:48:04+00:00

    Hello

    Yes, based on the previous post you mentioned if the CA is External, the it need to generated a CSR and then install the User/Computer cert on the machine.

    Is there a way yo automate this process with the External CA ? like the auto-enrollment

    Probably using REST API ? I'm looking for any information and best practice for that

    0 comments
  5. Anonymous
    2024-10-02T01:14:50+00:00

    Hello

    Good day!

    Automating certificate enrollment with an External Certificate Authority (CA) may be achieved using APIs. The specific implementation details will depend on the CA you're using, as different CAs will provide different APIs and documentation.

    Best Regards,
    Daisy Zhou

    0 comments