Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, browse to the target domain, and expand the Group Policy Objects container.
Click on the GPO you want to modify.
In the right pane under Security Filtering, click the Add button.
Use the Object Picker to select a group and click OK.
Highlight Authenticated Users and click the Remove button.
Click OK to confirm.
Using a command-line interface
> setgpopermissions.wsf "
> setgpopermissions.wsf "
Creating a security filter for a GPO consists of granting a specific group the Apply Group Policy permission on the ACL of the GPO. By default, Authenticated Users are granted the Apply Group Policy right on all new GPOs, so you will also need to remove this right if you want to restrict the GPO to only be applied to members of another group.
Avoid using "Deny" as part of the security filter because it can lead to confusion with accounts that have membership of groups with conflicting filter settings. For example, if a user is a member of a group that has "Deny" set in the filter and is also a member of a group that is allowed to apply the policy, the Deny setting will always win. This can be difficult to troubleshoot.
Be very careful when changing permissions on GPOs. If you create a very restricted GPO and apply a security filter to it, put tight controls on who can modify the GPO and how. If for some reason that security filter was removed (resulting in no security filters), the restrictive GPO could be applied to every user or computer in the domain.
RSS Feed (xml)
No comments:
Post a Comment