none
Security Filtering Clarification

    Question

  • The overview:
    I have a GPO called Test_GPO. The Scope is filtered to a specific computer and linked to the OU where the computer lives. There is an security group called Audit_User with one user account, called User1, in the group with the READ and APPLY GROUP POLICY permissions delegated. The GPO is being used to audit successful file access.

    Question:
    With the above GPO applied to the computer object, with no Loopback, the GPO will audit the successful file access of USER1, Correct?

    Clarification:
    With that GPO being applied to the single computer object via the Security Filtering, will this GPO apply to all users that use the computer and try to access the same files as USER1? As I understand it, Computer policies take precedence over User policies, so I'm curious if the security filtering is going to apply to all users or just the one as intended.

    TIA

    Thursday, February 27, 2014 3:49 PM

All replies

  • > With the above GPO applied to the computer object, with no Loopback, the
    > GPO will audit the successful file access of USER1, Correct?
     
    No. Since you do security filtering for a group containing users, the
    computer has no access to the GPO and cannot apply it.
     
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Thursday, February 27, 2014 4:36 PM
  • I'm sorry, I don't understand your reply.

    The security filtering is applied to the computer object, the AUDIT_USER group is allowed read and apply group policy. Are you saying that the computer account has nothing to do with who is audited by the GPO and that only USER1 will have the auditing applied to them?

    Thursday, February 27, 2014 5:12 PM
  • Hi,

    Computer settings only apply to computer objects, and user settings only apply to users. Audit policy is computer based, so it only apply to computers.

    The GPO with audit policy enabled should be linked to the OU where computers reside. If you want to select one computer within the OU to apply the GPO, we can use security filtering, just remove authenticated users and add the computer object to the security filtering tab.

    Although you add user groups to the security filtering tab, user will not apply the GPO.(if you enable loopback policy in the GPO, this will be different)

    To audit users who access the specific files or folders, not only audit policy should be enabled, we should also confiure SACL on those files and folders, for more details about how to audit files and folders, please go through the below articles:

    http://support.microsoft.com/kb/310399/en-us

    http://blogs.splunk.com/2013/07/08/audit-file-access-and-change-in-windows/

    Hope this helps.

    Regards,

    Yan Li


    Regards, Yan Li

    Friday, February 28, 2014 3:20 AM
    Moderator
  • OK, so what you are saying is that the Security Filtering is applying it to just the one computer, which is really just narrowing it down to the one computer since the audit settings are computer based anyway (otherwise it would apply to all computers in the OU). So the fact that the AUDIT_USER group is in the delegation tab really means nothing. Whoever logs on to the computer and tries to access the files successfully, auditing will keep track of.

    Right?

    Monday, March 03, 2014 11:10 PM