Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Locked thread
fart-powered cars
Apr 19, 2001

I WENT VIRAL AND ALL I GOT WAS THIS LOUSY AVATAR


Here's a question that I've been wrestling with for some time. We want to set up group policies for users on some sort of role or location basis. Right now we're dumping everyone in CN=Users so it doesn't seem like setting up group policies on a per-user basis is really possible. We also have -great- difficulty moving people from CN=Users because of all the external stuff we have that look directly at that namespace for user queries. This is the structure I inherited and I'm being stonewalled every time I bring up a better structure so I'm not dealing with bullshit issues on 1500 clients.

If somebody has a way to apply policies on a per-user basis without putting them in an OU to do so, I'm all ears.

Adbot
ADBOT LOVES YOU

fart-powered cars
Apr 19, 2001

I WENT VIRAL AND ALL I GOT WAS THIS LOUSY AVATAR


BangersInMyKnickers posted:

Your best option in this situation is to get things restructured in a logical fashion and fix it. Not fun, but that should be your long-term goal. In the short term, make additional security groups and add users to and use those groups against policy security filtering to apply the policy to specific users within on OU.

I totally agree on the restructuring, but it is unlikely to happen in the near future. Thanks for the pointer, this put me in the right direction. If I understand this correctly, I can simply apply the GPO itself to a security group, which in turn, will filter down to user objects?

fart-powered cars
Apr 19, 2001

I WENT VIRAL AND ALL I GOT WAS THIS LOUSY AVATAR


BangersInMyKnickers posted:

You apply the policy to OUs (in this case, your Users OU) but remove the Authenticated Users from the Security Filtering. With no one in the security filter, no validates as having the right membership to get the policy. Then add in specific security groups that user accounts are a member of who you want to receive the policy and they will get it.

I see, so the Authenticated Users ACL would actually apply that GPO at the OU level while removing that permission ensures that it applies only to those objects that have been scoped. I assume security filtering can be used and abused on other objects as well, like specific computers and/or users?

  • Locked thread