Mark Minasi's Tech Forum
Register Calendar Latest Topics Chat
 
 
 


Reply
  Author   Comment  
jsclmedave

Administrator
Registered:
Posts: 446
Reply with quote  #1 
I have an Global AD Security Group "Block_Setting" that has been setup up to block inheritance from the Computer Side GP Rules.

The Settings for this Global AD Group within the GP Rule have been set to
  • Read - Allow
  • Apply Group Policy - Deny 


Currently there are a couple of Domain\Users listed.

What I would like to do is add a Local AD Security Group with a list of WIN 2012 R2 Servers so that they will not have the Computer Side Settings Applied.

"Block_Setting"
  • User01
  • User02
  • My_New_AD_Group
  • Server01
  • Server02
  • Server03


This is how I would normally add Servers or Users for Access but was unsure if GPOs would act the same, meaning the Servers in the Nested Local AD Security Group would also have those settings blocked...

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
Infradeploy

Avatar / Picture

Senior Member
Registered:
Posts: 166
Reply with quote  #2 
I'm so confused reading this. 

Yes it will have them blocked.
The outcome of what you want depends heavily on where the GPO's are linked, if there's a loopback policy, and if the server GPO's have the same security.

To me this looks like a minefield

__________________
Have SpaceSuit, Will Travel

0
jsclmedave

Administrator
Registered:
Posts: 446
Reply with quote  #3 
Quote:
Originally Posted by Infradeploy
I'm so confused reading this. 

Yes it will have them blocked.
The outcome of what you want depends heavily on where the GPO's are linked, if there's a loopback policy, and if the server GPO's have the same security.

To me this looks like a minefield


Looks like I got the green light to just add them to the primary AD Group that is blocking the GPO now...

No loopback...

__________________
Tim Bolton @jsclmedave
Email: [string](0..20|%{[char][int](32+('527377347976847978324785847679797514357977').substring(($_*2),2))}) -replace ' '  

New to the forum? Please Read this
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.