gpo filtering not working

Pants

Active Member
Reaction score
21
Location
California, United States
I can't figure out why gpo filtering is not working in my lab.

I have followed various tutorials and they all pretty much say the same thing. Everyone else seems to be getting it, so I'm obviously missing something.

In SBS 2008, I create a simple "Test" gpo on the domain level. I remove "authenticated users" security principal, and I add in my "Management Group" (domain local) that has a single member which I happened to name "Jan Stevens" as an pretend manger for the company.

As a test, just to see if I can get this simple policy to apply, I set the security rule "shut down the computer". I ran gpupdate /force on the server, then restart the workstation.

When I log in as Jan, I have the right to shut down the computer, but when I log in with another domain user, that user also still has the right to shut down the computer, which isn't what I want, so it looks like the policy isn't getting applied.

Maybe I got this wrong, but I thought by allowing Jan only the right to shut down the computer, that implicitly denies other users from being able to shut down.

On the other hand, I can get the security rule to apply no problem (exactly the way I want), if I do nothing else other than add the "Management Group" directly to the "shut down the computer" security rule when I define it.. Is this method technically NOT the same thing as "filtering"; It would seem that they are not the same, since I don't appear to have to configure any ACLs to make it work, unlike the requirement of having to remove authenticated users from the ACL in the other method, and adding in the group I want the GPO to apply to.
 
It's a computer configuration template. When I edit the policy, I go into "computer configuration" (not user configuration) when I add the rule. Is that what you're talking about?
 
https://technet.microsoft.com/en-us/library/cc736413(v=ws.10).aspx
With Computer Configuration in Group Policy, you can set policies that are applied to computers, regardless of who logs on to the computers.

Looks like you might want to use a user configuration template instead.
https://technet.microsoft.com/en-us/library/cc781953(v=ws.10).aspx
You can use User Configuration in Group Policy to set policies that apply to users, regardless of which computer they log on to.
 
Thanks. I check it. It seems like it should be working. Why does it work when I apply the Management Group directly to the security rule?


Is it possible to add the "user rights assignments" rules to the user configuration template? I don't see them in there, as is.
 
Last edited:
Thanks for posting that nline.. Learned a lot from that.

One thing I realized was that enabling "shut down the computer" security rule does not GRANT permission to shut down a system, it DENIES permission to shut down a system. That's a lot of confusion out of the way. Not sure why I thought visa versa was correct.

With that mind set, I realized that when I was adding Jan directly to the security rule (when enabling the rule), she was being EXCLUDED from the filter that was already in place...ie The "authenticated users". So the option in the security rule and the filter are working together (synergistic).

The above works to accomplish the goal I was looking for.

So it seems that when using filtering, if you are enabling security rules (in "user rights assignment"), any user you want to exclude from having the rule apply should be added as an exception directly to the security rule. But the filtering itself is done in the "filter" setting. I couldn't figure out if the security rule exclusion was another way of filtering, or something, so I was very confused. I wish they would have put that option in the filter section, and literally called it EXCEPTION, that would have been way easier to figure out.

Whew! I've been jacking with this for hours. Time to spoil myself with a treat. :)


Does filtering work the same way in Server 2003 ?
 
Last edited:
For some sometimes useful information when troubleshooting GPs....from the workstation at an elevated command prompt, run "gpresult /r" (without the quotes).
Scroll through, often gives a hint to why something wasn't applied.
 
Thx. Yah I tried that in the midst of my insanity while playing with this.

I guess another way I could have done this is by sticking Jan in a separate OU and blocking policy inheritance on the OU, so all authenticated users can't turn off the machine except Jan. :D
 
For blocking a policy to a specific user/group or computer, go to the policy advanced apply settings and put a "deny" to the user or computer that you wish to block. Deny takes precedence over apply.
 
I should have clarified from the beginning that I've only been using 1 laptop computer for all my domain user accounts.

So for making the "shut down the computer" security rule apply to one specific user on the same computer is a little tricky, it seems.

If the circumstances were normal and there is a SINGLE user per PC, then this would be relatively straight forward to implement. So if Bob is using computer A....and Jan is using computer B...and I want Jan to be able to shut off the computer, but not Bob, I'll just enable the security rule to apply to the default "authenticated users", and then add computer B to the policy ACL, and "deny" the "Apply Policy" setting for computer B, which will make it so BOB cannot turn off the computer, but Jan CAN. (lol)

However, I've been trying to get this Computer Configuration setting to apply to 1 laptop (with all my user accounts) and block the policy application to "Jan" This only seems to work when Jan's GROUP is added as an exception directly to the "shut down the computer" security rule. Adding Jan as a user won't work (for whatever reason), but adding Jan's group DOES work.
 
Last edited:
Back
Top