Information Technology Reference
In-Depth Information
comes into play. There are two types of
GPO filtering
: security filtering and Windows Management
Instrumentation (WMI) filtering.
Security filtering uses permissions to restrict objects from accessing a GPO. Like any object
in Active Directory, a GPO has a DACL in which lists of security principals are granted permis-
sion to access the GPO. User and computer accounts must have the Read and Apply Group Policy
permissions for a GPO to apply to them. By default, the Authenticated Users special identity is
granted these permissions to every GPO; Authenticated Users applies to both logged-on users and
computers. You can see a GPO's DACL in Active Directory Users and Computers in the
System\Policies folder and in the Delegation tab in GPMC, but for basic GPO filtering, you can
use the simpler GPMC interface. To view the current security filtering settings, click a GPO in the
Group Policy Objects folder in GPMC and click the Scope tab on the right (see Figure 7-13).
7
Figure 7-13
Viewing security filtering settings
You use the Security Filtering dialog box in GPMC to add or remove security principals from
the GPO access list. For example, if you want a GPO to apply to all users in a domain or OU
except a few, follow these steps:
1. Create a security group in Active Directory Users and Computers.
2. Add all the users who should be subject to the GPO as members of the new group.
3. In GPMC, click the GPO in the Group Policy Objects folder and click the Scope tab in the
right pane.
4. Use the Security Filtering dialog box to add the new group to this GPO.
5. Use the Security Filtering dialog box to remove the Authenticated Users special identity from
this GPO.
Search WWH ::
Custom Search