Pants
Active Member
- Reaction score
- 21
- Location
- California, United States
I can't figure out why gpo filtering is not working in my lab.
I have followed various tutorials and they all pretty much say the same thing. Everyone else seems to be getting it, so I'm obviously missing something.
In SBS 2008, I create a simple "Test" gpo on the domain level. I remove "authenticated users" security principal, and I add in my "Management Group" (domain local) that has a single member which I happened to name "Jan Stevens" as an pretend manger for the company.
As a test, just to see if I can get this simple policy to apply, I set the security rule "shut down the computer". I ran gpupdate /force on the server, then restart the workstation.
When I log in as Jan, I have the right to shut down the computer, but when I log in with another domain user, that user also still has the right to shut down the computer, which isn't what I want, so it looks like the policy isn't getting applied.
Maybe I got this wrong, but I thought by allowing Jan only the right to shut down the computer, that implicitly denies other users from being able to shut down.
On the other hand, I can get the security rule to apply no problem (exactly the way I want), if I do nothing else other than add the "Management Group" directly to the "shut down the computer" security rule when I define it.. Is this method technically NOT the same thing as "filtering"; It would seem that they are not the same, since I don't appear to have to configure any ACLs to make it work, unlike the requirement of having to remove authenticated users from the ACL in the other method, and adding in the group I want the GPO to apply to.
I have followed various tutorials and they all pretty much say the same thing. Everyone else seems to be getting it, so I'm obviously missing something.
In SBS 2008, I create a simple "Test" gpo on the domain level. I remove "authenticated users" security principal, and I add in my "Management Group" (domain local) that has a single member which I happened to name "Jan Stevens" as an pretend manger for the company.
As a test, just to see if I can get this simple policy to apply, I set the security rule "shut down the computer". I ran gpupdate /force on the server, then restart the workstation.
When I log in as Jan, I have the right to shut down the computer, but when I log in with another domain user, that user also still has the right to shut down the computer, which isn't what I want, so it looks like the policy isn't getting applied.
Maybe I got this wrong, but I thought by allowing Jan only the right to shut down the computer, that implicitly denies other users from being able to shut down.
On the other hand, I can get the security rule to apply no problem (exactly the way I want), if I do nothing else other than add the "Management Group" directly to the "shut down the computer" security rule when I define it.. Is this method technically NOT the same thing as "filtering"; It would seem that they are not the same, since I don't appear to have to configure any ACLs to make it work, unlike the requirement of having to remove authenticated users from the ACL in the other method, and adding in the group I want the GPO to apply to.