none
User Right Assignment Inheritance on OU levels

    Question

  • Hi,

    recently I encountered a problem when I was trying to grant "Logon as a Service" and "Logon as a Batch Job" on the domain level via GPO to a Group.

    Since we've got multipe OU levels there are GPOs that set those rights for single OUs and therefore overwrite the permission definitions from higher OU levels.

    Is there any best practice how to solve this problem other than checking every OU/GPOs for those permissions and then adding the group to those GPOs?

    --------------------------------------------

    Example:

    Domain -> GPO with permission for Group A

    - OU

    -- OU

    -- OU -> GPO with different permission for Group B overwrites domain permission for Group A

    --------------------------------------------

    Thanks in advance,

    Hannes

    Wednesday, August 24, 2016 1:45 PM

Answers

  • Restricted Groups is a little bit different, because with RG you can choose to do it a couple different ways. URA is like most other classic settings, i.e. last-writer-wins (no accumulation)

    Yes I know but I think I found a solution to my problem using restricted groups. Here are my thoughts:

    • On the top level I would create a local group (for example: Batchlogon-Users) via GPO Systemsettings -> Local Users and Groups
    • To that group I'd grant logon as Batch via GPO User Right Assignment
    • On the top level I'd add my Domain Local Security Group to the "Batchlogon Users" via restricted groups.
    • On the sublevels I'd add additional Groups via restricted Groups.

    So like that I think inheritance of User rights should work. Still have to test that tho.

    Any thought on that?

    • Marked as answer by Hannes.K Friday, September 02, 2016 9:54 AM
    Monday, August 29, 2016 7:27 AM

All replies

  • Hi Hannes,
    In general, Group Policy objects are processed in the following order: local GPO, site, domain, and OU. If a “User Right Assignment” policy setting is configured for a parent OU and the same policy setting is not configured for a child OU, the child OU will inherit the parent OU's policy setting. If the same policy is configured for the child OU, the policy setting in the child OU is applied. The highest precedence setting will take effect in this case. The default setting will be replaced by the settings configured from the highest precedence GPO.
    And it is always better to perform a test firstly and ensure that the expected result is got.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 25, 2016 3:16 AM
    Moderator
  • Also, keep in mind:

    GPOs don't apply to groups

    they apply to users inside those groups

    So, be sure to keep users inside following OUs

    To restrict Group Policies to apply to certain Groups -> remove authenticated users from security filtering, and add there Group you want.

    https://technet.microsoft.com/en-us/library/cc947840(v=ws.10).aspx

    Thursday, August 25, 2016 5:10 AM
  • If the same policy is configured for the child OU, the policy setting in the child OU is applied. The highest precedence setting will take effect in this case. The default setting will be replaced by the settings configured from the highest precedence GPO.

     Hi Wendy,

    thanks for your reply. How those GPOs apply I know, the problem I face here is, that the User Rights Assignments get overwritten while for example restricted groups can be added cumulatively on lower OU levels.

    So in our environment we've already set GPOs with user rights to certain OUs but if I want to apply a GPO to a higher ou level, so that it applies for all computer objects I had to add the new group that I define on the top level to all the GPOs on the sub levels I guess. 

    That's where I was wondering if there was any possibility to inherit the user rights assignment settings from the new GPO to the OU levels below. 

    --------------------------------------------

    Example:

    Domain -> NEW GPO with permission for Group A

    - OU

    -- OU

    -- OU* -> Existing GPO with different permission for Group B overwrites domain permission for Group A

    -------------------------------------------- *OUs contain Computer Objects

    @aldarik

    Thanks for your reply as well. I guess my example wasn't quite clear. The GPOs in this case are linked to OUs that contain computer objects and therefor apply to them - the User Rights like "Logon locally" are granted to the groups, so I'm not trying to filter anything.


    Thursday, August 25, 2016 6:50 AM
  • To restrict Group Policies to apply to certain Groups -> remove authenticated users from security filtering, and add there Group you want.

    https://technet.microsoft.com/en-us/library/cc947840(v=ws.10).aspx

    That information is outdated as of MS16-072

    https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/

    Additional steps are now necessary, if removing "Authenticated Users"..


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, August 25, 2016 8:55 AM
  • Restricted Groups is a little bit different, because with RG you can choose to do it a couple different ways.

    URA is like most other classic settings, i.e. last-writer-wins (no accumulation)


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, August 25, 2016 8:57 AM
  • Restricted Groups is a little bit different, because with RG you can choose to do it a couple different ways. URA is like most other classic settings, i.e. last-writer-wins (no accumulation)

    Yes I know but I think I found a solution to my problem using restricted groups. Here are my thoughts:

    • On the top level I would create a local group (for example: Batchlogon-Users) via GPO Systemsettings -> Local Users and Groups
    • To that group I'd grant logon as Batch via GPO User Right Assignment
    • On the top level I'd add my Domain Local Security Group to the "Batchlogon Users" via restricted groups.
    • On the sublevels I'd add additional Groups via restricted Groups.

    So like that I think inheritance of User rights should work. Still have to test that tho.

    Any thought on that?

    • Marked as answer by Hannes.K Friday, September 02, 2016 9:54 AM
    Monday, August 29, 2016 7:27 AM
  • Hi,
    Based on my research and test in my lab, it seems that we could not merge user right assignment in the GPO of parent OU into the GPO of sub OU.
    The policy from the winning GPO will affect the client. So I think we should add the new group in the winning GPO as you said
    Best Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, August 29, 2016 8:47 AM
    Moderator