GPO Security Group

Question

GPO Security Group

czql5v 146

Hi All,

I was looking for specific information on Security Filtering and how it actually works.

I need to create a GPO that populates PAC file address information. The GPO should only be distributed to Users or Computers in a specific group.

Our OU Domain structure has users in one OU which consists of every Global Domain User in one Container. It has not been split into Regions or countries. It's too late to even think about creating Sub OU's.

My first question is - can I distribute the PAC file address http link using Computer Configuration details. This would be much easier as the OU client structure is split between Countries, Regions, and Offices. I cant seem to find details of how to populate I.E. with the PAC details, I see them in User Configuration Preferences > Control Panel Settings > Internet Settings > Internet Explorer 10 1 > Connections > Lan Settings, the PAC file information is updated on the Address: field. Cant see where to configure the policies on Computer Configuration....!

My second question is - could I create a Security Group with specific users in the group, Link the GPO to the Top Level users OU (where thousands of Users Reside). Remove Authenticated Users from Security Filtering, add the Security Group with specific users. Would that be a certain guarantee that ONLY the users in the Security Group would get the Pac File address in I.E. settings.

I cannot be in a situation where ALL users pick up the Pac file entry in I.E. that would be a disaster.

Any thoughts / suggestions / help / would be gratefully received.

Regards.

5 answers

Your answer

Answer 1

Gary Reynolds 9,621

Hi,

Not all setting are available in both user and computer sections of GPOs and I think have found one that is not available in both.

As for using groups to target specific users or workstations, yes this is an acceptable option and is intended functionality by design. You don't need to remove the existing groups, you just need to remove the 'Apply Policy' permission from the currently assigned groups, add your new group and assign 'Apply Policy' permission to it. I would suggest you test the changes in a separate OU before applying the new GPO to your main user OU.

Gary.

Gary. .

czql5v 146 Reputation points

2021-11-22T08:26:30.38+00:00

Hi Gary,

Sorry for not responding sooner - I was away.

Would it be possible to create the GPO with user policies and apply the Security Filtering to a computer?

This way I could target the individual computers rather than apply against the users OU.

Regards.
Gary Reynolds 9,621 Reputation points

2021-11-22T09:45:53.137+00:00

Yes it is possible, if you create a new GPO with GPMC and then before assigning it an OU or changing any settings, change the security settings. Once the security is setup correctly, link the policy to correct OU. The only thing to bear in mind, once you add the computer to the group, you will need to reboot the machine for it to pick up the group change.

Here is a GPO that is configured to only target members of the Domain Computers group, but you can use any group. In GPMC the scope tab looks like this:

and if you look at the permissions of the GPO under the delegation tag, Advanced, you will see that only the Domain Computers has the Apply group Policy permission.

Gary.

Answer 2

czql5v 146

Hi Gary,

Thank you very much. I believe this is exactly what i have been looking to achieve.

Will let you know how it goes - i hope to put live next week,

Once again regards.

Answer 3

czql5v 146

Sorry Just thinking - one more question.

Is it at all possible to edit the Users Configuration information and link the GPO directly at a computers OU?

Create a Security Group to include Specific Users and change the permissions of the GPO under the delegation tag? This way i would avoid all contact with the Users OU at the top level. (would that work)?

Just a thought...

Gary Reynolds 9,621 Reputation points

2021-11-22T11:02:53.787+00:00

You can have a single GPO with both the user and computer settings, you can add the users and computers to the same group and use this single group to control which users and computers get the settings. You just need to make sure that the gpo is linked to the OUs that contains the users and computers that you want the policy to be applied to.

The users will need to logoff and back on to pickup the new group memberships.

Gary
czql5v 146 Reputation points

2021-11-23T08:52:03.253+00:00

Hi Gary,

Currently the GPO setup looks like below but I have not added any pac file details or the Users link yet.

Can you confirm the below is ok and if I link to the Users OU it will only apply to the users and machines in the Security Group?

Thanks very much for your help. Its appreciated.

Answer 4

Gary Reynolds 9,621

It looks good, just confirm that no other group has the apply group policy permission. You can leave the policy blank and apply the policy to the user or test OU. You can then confirm that it will be applied to the selected machines/users that are.members of the group, they will try to apply the policy but will failed with a filtered status, because the policy is empty.

Gary.

Answer 5

Security filtering of a GPO allows you to limit what users or computers are hit by the GPO settings and allows you to delegate the administration of the GPO. To target a user or computer you must assign Read and Apply permissions to the user/computer or a group of which they are member.

Yes you can create a Security Group with specific users in the group. Here is a link as well to help you out.

Create, edit, or delete a security group in the Microsoft 365 admin center
https://learn.microsoft.com/en-us/microsoft-365/admin/email/create-edit-or-delete-a-security-group?view=o365-worldwide

Active Directory Security Groups
https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups

---

--If the reply is helpful, please Upvote and Accept it as an answer--

Share via

GPO Security Group

5 answers

Your answer