Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Security filter for GPO to a group of computers?

Answered Security filter for GPO to a group of computers?

  • Wednesday, August 10, 2011 6:46 PM
     
     
    Sign In to Vote
    0
    This should be an easy question, but we have a GPO that has a security filter on it to only apply to select computers.  With security filters in gpmc,  I know you can use AD security groups to apply to user accounts in those groups, but I tried that with computer accounts and it did not seem to work.  We had a Win2003 domain at that time and we just upgraded to win2008R2 domain and I was going to try again and wanted to see if anyone knows an easy way to apply a GPO with a Security filter to a group of computers.  We do not want to put those computers into a seperate OU and only target those OUs with the GPO.
    Dan Heim
     

All Replies

  • Wednesday, August 10, 2011 7:24 PM
     
     Answered
    Sign In to Vote
    0

    Hi Dan,

    The same thing as for User groups is for Computer groups. But, it has to have the computer objects in the OU where you  link the GPO ! (as it is needed for User groups).

    So, if you want to use GPO and Computer groups, you might think about linking the GPO at domain level (if computers are spread on multiple OU) and use the Security filtering : Computer Groups.

    " Never panic before reboot ! "
     
  • Wednesday, August 10, 2011 10:23 PM
     
     
    Sign In to Vote
    0

    Here is a blog post i have written that should explain how to filter comptuers based on security groups...

    http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/

    Hope it helps

     

    Alan Burchill (MVP)
    http://www.grouppolicy.biz
    Follow me on twitter @alanburchill
    • Proposed As Answer by Alan BurchillMVP Wednesday, August 10, 2011 10:23 PM
    • Unproposed As Answer by dheim Wednesday, August 10, 2011 10:42 PM
    •  
     
  • Wednesday, August 10, 2011 10:56 PM
     
     
    Sign In to Vote
    0

    Thanks Alan,

    I did know those details about GPOs and how to block GPOs from getting applied to certain objects.  I am testing again and will let you guys know what I find out.  Initially when I add a computer to a global security-group in AD and then make sure that both the group and the computer objects in that group are targeted by the GPO, it still does not work.  When I run gpresult on the computer it says it is filtered out for an unknown reason.  I have scheduled a reboot for the computer as maybe it needs to be rebooted to pick up its new security-group membership and will let you guys know what I find out.

    Dan Heim
     
  • Thursday, August 11, 2011 12:27 AM
     
     
    Sign In to Vote
    0
    Just remember if you use groups in the contect of filtering your group policy scope - you have to use global security groups.  I know some people run into a problem where they try and scope a group policy object to a domain local group and they can't figure out why the group policy object won't apply.  As the above posts indicated, you have to scope coomputer centric GPOs to computers and vice versa for users.  However, you could use loopback/replace to force the settings you enable on the user config side of a GPO scoped to computers  to apply to all users that log onto those computers.  Loopback/merge GPO appends it's settings  to the settings of a gpo scoped to a user and the settings in the gpo\merge gpo will have precedence.  Anyway, hope this helps.
     
  • Thursday, August 11, 2011 9:20 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

     

    Please let us know that what polices you have configured? Is there only computer policy?

    Where this GPO was linked to?

    As we know that the GPO needs to be linked to a scope that contains all the computers in the group.

     

    Best Regards,

    Yan Li

     

     

     

     
  • Thursday, August 11, 2011 10:56 AM
     
     Answered
    Sign In to Vote
    0

    Hi,

    If you are trgeting the security group so that the policy will only apply to the computers in that group and the policy is getting to all the computers then you have to remove the authenticated users from ACL(Make sure you do not deny authenticated users).

    If the situation is reverse so that the members of the security group will not get the settings then I would request you to please run gpresult and check the group membership under compurter configuration and make sure the group is shown. You would require user logoff/login to get the group membership

     
  • Thursday, August 11, 2011 2:28 PM
     
     
    Sign In to Vote
    0

    Hi,

    I have seen this before and always had this problem.  There are no WMI filters on the GPO and the policy is applied at the top level, without any blocks on any of the OUs.  It is a computer-based group policy and it does not have "authenticated users" in the security filter.  The computer accounts that are specifically specified in the security filter work fine.  The computers that I add to an AD global-security group do not work even though that group has also been added to the security filter.  When I run a gpresult on the computers in that group it shows the GPO under computer settings, but says beneath it "Filtering: Not Applied (Unknown Reason)".  This is an IPSec computer gpo with and the user configuration side of the GPO has been disabled.  If I check the permissions under Advanced in the Delegation tab of the GPO, it shows that the AD security group has both "read" and "apply GPO"

    Thanks,

    Dan

     

    Dan Heim
     
  • Thursday, August 11, 2011 2:47 PM
     
     
    Sign In to Vote
    0

    Hi Dan,

    How did you setup the IPSec policy ? If you do a test and create a GPO that, lets say, activate the Loopback processing (Computer level) and you create a group and you add a test computer in this group and you assign use Security Filtering to this new group, does it work ? I don't know why, but I think the problem is with your IPSec policy setup and not with the fact that GPO with Group security filtering doesn't work. Because I can assure you, IT WORKS !

    " Never panic before reboot ! "
     
  • Thursday, August 11, 2011 2:49 PM
     
     
    Sign In to Vote
    0
    Well your assurance makes me feel better.  I will try with another GPO.  The thing is this GPO works fine when applied to computer objects, but not when going through global security-groups and I do not know why.
    Dan Heim
     
  • Thursday, August 11, 2011 6:03 PM
     
     
    Sign In to Vote
    0

    Hi Dan,

    If this is a IPSEC policy I would request you to please run RSOP.MSC and check once if it is showing in that. Also as I have mentioned previously please run gpresult and check under computer configuration as to whether the computer is showing as member of security group

    Also please check the event viewer for any error.

    And I would suggest to enable Userenv logging as per the below link and check the log for more details and you can post the log here.

    http://support.microsoft.com/kb/221833

     
  • Thursday, August 11, 2011 11:27 PM
     
     
    Sign In to Vote
    0

    Here is some more info and I appreciate your responses.  It does seem to work fine with a Win7 client being in that group that is included with my security filter that I tested with.  With a Win2003sp2 server, it will not work when going through a group on the security filter.  If I run gpresult it does show the computer being a member of the correct group and it initially shows the GPO as being applied, but right beneath that it shows the GPO getting filtered for unknown reasons.  When I login to the win2003sp2 server and run rsop.msc it does show the IPSec policy and looks like it is getting applied, but it never works so I am also thinking it is being partially filtered.  I rebooted the server and it has no firewall, etc but it never works when going through a group for security filter.  As soon as I take the server out of the group and apply that computer account directly into the security filter, run a gpupdate /force, then it starts working.  so for some reason it does not work when going through a group in the security filter and I am clueless.  I am going to test with some other clients tomorrow and see what works and what is not working.

    Dan

    Dan Heim
     
  • Monday, August 15, 2011 8:55 AM
    Moderator
     
     
    Sign In to Vote
    0

    Hi,

    What about other clients? Does the policy work fine? According to that only the Windows 2003 SP2 in the security filter cannot apply the policy, this is a strange issue, there may be some unknown reason. If the Windows 2003 SP2 servers are not so many, maybe we should user the workaround, apply them directly into the security filter.

    Best Regards,

    Yan Li

     
  • Tuesday, July 03, 2012 7:03 PM
     
     
    Sign In to Vote
    0
    I had the same issue as Dan.  I want to apply GPO only to a Global Security Group containing Computers.  I set it all up in GPMC, ran gpupdate /force on the machine, then gpresult and saw that the GPO was filtered for unknown reason.  But after a reboot, it worked fine.  I believe that the security group access token for a computer only gets updated on reboot (or maybe some very long interval?)  Basically, it's the same reason why a user that you add to a security group doesn't immediately have access to the file share, and they have to logoff and back on before their access works.
     
  • Tuesday, July 03, 2012 7:49 PM
     
     
    Sign In to Vote
    2
     
    > worked fine.  I believe that the security group access token for a
    > computer only gets updated on reboot (or maybe some very long
    > interval?)  Basically, it's the same reason why
     
    Security Tokens are issued at logon. For a user, it's quite obvious that
    this happens at logon ;-) So when a user's group membership changes, he
    needs to logoff and logon again.
     
    For computers, this only happens at boot - the computer is quite close
    to a user, he logs on to the domain at boot. So if a computer's group
    membership changes, the computer needs to be rebooted.
     
    regards, Martin
     
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
     
  • Monday, February 04, 2013 9:31 AM
     
     
    Sign In to Vote
    0
     
    For computers, this only happens at boot - the computer is quite close
    to a user, he logs on to the domain at boot. So if a computer's group
    membership changes, the computer needs to be rebooted.

    This is quite annoying when you need to apply the security filter to servers that have to be up 24x7.

    And purging kerberos tokens for the computer account doesn't work for me.

    The token is renewed avery week, at least in our domain, and I think that's by default as long as you don't change that via GPO. Doesn't the computer take the new token with the group SID when the token is renewed?

    Thank you.


    • Edited by fedayn1 Monday, February 04, 2013 9:35 AM
    •  
     
  • Monday, February 04, 2013 6:46 PM
     
     
    Sign In to Vote
    0
     
    > And purging kerberos tokens for the computer account doesn't work for me.
     
    klist purge from psexec -s? for me, in a test, it worked...
     
    > The token is renewed avery week, at least in our domain, and I think
    > that's by default as long as you don't change that via GPO. Doesn't
    > the computer take the new token with the group SID when the token is
    > renewed?
    >
     
    No. AFAIK, when renewing, the TGT only gets a new timestamp, but the PAC
    isn't updated.
     
    regards, Martin
     
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
     
  • Wednesday, February 06, 2013 10:43 AM
     
     
    Sign In to Vote
    0
    > klist purge from psexec -s? for me, in a test, it worked...

    I tried klist purge in a couple of servers and it takes a long time while not doing anything. May be that's owed to too much activity over those servers. I also tried klist purge on other server with less activity and it worked.

    > No. AFAIK, when renewing, the TGT only gets a new timestamp, but the PAC

    Ok.

    > isn't updated. 

    Thank you.