GPO question

Question

Hello!

Can someone explain if I have some Computer Configuration settings (e.g firewall rules) which is the proper way to apply GPO with Computer Configuration settings:

• Under Scope I define user and under Delegation I define Authenticated Users with Read permission
• Under Scope I define computer and under Delegation I define Authenticated Users with Read permission
• Under Scope I define computer and under Delegation I define Domain Computers with Read permission

If i have User Configuration settings (e.g shortcut on user Desktop) which is the proper way to apply GPO with User Configuration settings:

• Under Scope I define user and under Delegation I define Authenticated Users with Read permission
• Under Scope I define computer and under Delegation I define Authenticated Users with Read permission
• Under Scope I define computer and under Delegation I define Domain Computers with Read permission

Does Computer Configuration settings must be applied using Scope with computer and Delegation with Domain Computers with Read permission?
Does User Configuration settings must be applied using Scope with user and Delegation with Authenticated Users with Read permission?

Somehow I always had trouble with it when it comes to troubleshoot some policy that doesn't work. I now have policy which has Computer Configuration settings (firewall rules) and under Scope I have user and under Delegation I have Authenticated Users with Read permission and it for some reason doesn't work. I also tried with computer under Scope and Domain Computers under Delegation with Read permission and this also doesn't work.

Any help or direction is much appreciated!

Thank you!

Answer 1

Hi,
Based on my understanding if you want to apply a GPO to users or computers, they need both the read permission and apply group policy permission.
They will not apply the group policy with the only read permission.
Under the scop you can add or remove the groups.
Under the delegation you can assign the permission on this GPO.

For example:
If you deploy the GPO with user configuration on the domain level, then all the users need the Read permission and apply group policy permission. At the same time, computers need the read permission on the GPO.
To do this:
You can either keep the default setting: authenticated users have Read permission and apply group policy permission. (Authenticated users include all the user objects and computer objects in the domain). Or you can add the user group with the Read permission, apply group policy permission, and add the computers group with the read permission.

If you deploy the GPO with computer configuration on the domain level, then all the computers need the Read permission and apply group policy permission.
You can either keep the default setting: authenticated users have Read permission and apply group policy permission. (Authenticated users include all the user objects and computer objects in the domain). Or you can add the computers group with Read permission and apply group policy permission. Users don't need the permission.

Best Regards,

Answer 2

Thank you for clarification. I know when adding user or computer to Scope it automatically adds user or computer to Delegation with Read and Apply Group Policy permission. So analogy for one user and one computer would be:

Apply GPO that has Computer Configuration settings to only one computer - under Scope I would define that computer and under Delegation I would define that computer with Read and Apply Group Policy permission - Authenticated Users in not necessary under Delegation in this case.

Apply GPO that has User Configuration settings to only one user - under Scope I would define that user and under Delegation I would define Authenticated Users with only Read permission?

Best regards!

Answer 3

Just one more thing...

GPO that has Computer Configuration settings with computer under Scope and under Delegation that computer has Read and Apply Group Policy permission the same GPO did not applied until I added Authenticated Users also under Delegation with Read permission...

Best regards!