Mark Minasi's Tech Forum
Register Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 161
Reply with quote  #1 
If you are using GPO's with are filtered for users/groups, you should read this : https://support.microsoft.com/en-gb/kb/3163622


In short:
- If GPO is filtered for Users => then add Domain Computers with Read Access
- If GPO is filtered for Computers => no action required
- If GPO is not filtered => no action required



__________________
Pieter Demeulemeester
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 199
Reply with quote  #2 
Good one Pieter, thanks. This one is causing a lot of grief.

One additional note: those with multidomain forests need to be aware of filtered but cross-domain linked GPOs. In that case the 1st workaround will break. The more generic but less secure workaround is just to add Authenticated Users: READ (not apply, of course).

__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
wosteen

Still Checking the Forum Out
Registered:
Posts: 2
Reply with quote  #3 
Jeremy Moskowitz is covering this, as he says, "in excruciating detail". [biggrin]

Official Microsoft reason for why it's broken here.

Jeremy's coverage here.
0
wkasdo

Avatar / Picture

Administrator
Registered:
Posts: 199
Reply with quote  #4 
He missed the part about multi-domain forests, though...
__________________
[MSFT]; Blog: https://blogs.technet.microsoft.com/389thoughts/
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.