GPO issue
-
@WLS-ITGuy said in GPO issue:
So the library GPO is linked somewhere above this user's OU and is using security filtering to apply to the library security group only?
Have Domain Computers been given read permission?Not sure if I understand your questions exactly, I'll post some screenshots when I get back in the office.
That question is due to the topic discussed here: https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/
It sounds like you don't actually have things set up that way though so probably not the problem.
@WLS-ITGuy said in GPO issue:
So the library GPO is linked somewhere above this user's OU and is using security filtering to apply to the library security group only?
Have Domain Computers been given read permission?List of GPOs:
GPOs in the OU:
OK so the user is in the WLS-Faculty group. The two GPOs there will apply. It sounds like that is happening as expected.
You say the user is a member of the library group but I don't see you mention where that group lives in the AD structure. Is the library group in the WLS-Library OU?
-
@WLS-ITGuy said in GPO issue:
@EddieJennings said in GPO issue:
@WLS-ITGuy said in GPO issue:
@scottalanmiller said in GPO issue:
@WLS-ITGuy said in GPO issue:
@WLS-ITGuy said in GPO issue:
It isn't being applied.
How many Domain Controllers?
2 - Checked both and both show the correct GPO
Check from a client machine, though, too.
Hmmm. Not hitting the client machine.
Meaning it's not listed when you run
gpresult /r
(orgpresult /r /scope:computer
), or it's listed but not being applied?gpresult shows the Faculty GPO as being applied but not the Library GPO
What's the listed reason for it?
Where I am, unknown reason, is usually because of inheritance blocking, but from the screenshots how shared, that's not going to be the issue.
-
@EddieJennings said in GPO issue:
@WLS-ITGuy said in GPO issue:
@EddieJennings said in GPO issue:
@WLS-ITGuy said in GPO issue:
@scottalanmiller said in GPO issue:
@WLS-ITGuy said in GPO issue:
@WLS-ITGuy said in GPO issue:
It isn't being applied.
How many Domain Controllers?
2 - Checked both and both show the correct GPO
Check from a client machine, though, too.
Hmmm. Not hitting the client machine.
Meaning it's not listed when you run
gpresult /r
(orgpresult /r /scope:computer
), or it's listed but not being applied?gpresult shows the Faculty GPO as being applied but not the Library GPO
What's the listed reason for it?
Where I am, unknown reason, is usually because of inheritance blocking, but from the screenshots how shared, that's not going to be the issue.
Correct. I do not get any Not Applied (Unknown Reason) errors or Denied errors.
-
@WLS-ITGuy said in GPO issue:
@EddieJennings said in GPO issue:
@WLS-ITGuy said in GPO issue:
@EddieJennings said in GPO issue:
@WLS-ITGuy said in GPO issue:
@scottalanmiller said in GPO issue:
@WLS-ITGuy said in GPO issue:
@WLS-ITGuy said in GPO issue:
It isn't being applied.
How many Domain Controllers?
2 - Checked both and both show the correct GPO
Check from a client machine, though, too.
Hmmm. Not hitting the client machine.
Meaning it's not listed when you run
gpresult /r
(orgpresult /r /scope:computer
), or it's listed but not being applied?gpresult shows the Faculty GPO as being applied but not the Library GPO
What's the listed reason for it?
Where I am, unknown reason, is usually because of inheritance blocking, but from the screenshots how shared, that's not going to be the issue.
Correct. I do not get any Not Applied (Unknown Reason) errors or Denied errors.
Ah, so the GPO isn't listed anywhere when you run
gpresult /r
(orgpresult /r /scope:computer
) on the client computer, not even under "The following GPOs are not applied because they were filtered out" sections.Forgive me, if I seem to be missing something obvious.
-
@WLS-ITGuy said in GPO issue:
I have a user who is in the Faculty OU
OK that's pretty straight forward
but is part of the library group as well.
How is the user part of the library group?
-
@Dashrender said in GPO issue:
@WLS-ITGuy said in GPO issue:
I have a user who is in the Faculty OU
OK that's pretty straight forward
but is part of the library group as well.
How is the user part of the library group?
I created a library security group under the Library OU that has all employees that are workers in the library.
-
-
@WLS-ITGuy said in GPO issue:
@Dashrender said in GPO issue:
@WLS-ITGuy said in GPO issue:
I have a user who is in the Faculty OU
OK that's pretty straight forward
but is part of the library group as well.
How is the user part of the library group?
I created a library security group under the Library OU that has all employees that are workers in the library.
OK - I'm not sure that GPOs will be applied to security groups that are in OUs - I think only User and Computer objects get GPOs applied to them.
-
I would change this up by applying your GPOs to the OU above these WLS OUs, then set filters to only apply to the users you want.
So in the case of the Library, you've already created a security group, so you'll grant permissions to that group.
Then you'll need to create a WLS-Faculty security group and do the same with it's GPO.
-
@Dashrender said in GPO issue:
I would change this up by applying your GPOs to the OU above these WLS OUs, then set filters to only apply to the users you want.
So in the case of the Library, you've already created a security group, so you'll grant permissions to that group.
Then you'll need to create a WLS-Faculty security group and do the same with it's GPO.
So the GPOs would be at 'domain level' not in the OU level...Like this?
Then I apply the security groups from there? That makes sense.
-
@WLS-ITGuy said in GPO issue:
@Dashrender said in GPO issue:
I would change this up by applying your GPOs to the OU above these WLS OUs, then set filters to only apply to the users you want.
So in the case of the Library, you've already created a security group, so you'll grant permissions to that group.
Then you'll need to create a WLS-Faculty security group and do the same with it's GPO.
So the GPOs would be at 'domain level' not in the OU level...Like this?
Then I apply the security groups from there? That makes sense.
Correct. Now any user in the Domain (aka located in any OU), within the security group you created should have the GPO applied.
Side note - I ALWAYS make sure I set security filter BEFORE I enable the GPO. The last thing you want is some user logging in after you save the GPO and getting access to items they should not.
-
@WLS-ITGuy said in GPO issue:
@Dashrender said in GPO issue:
I would change this up by applying your GPOs to the OU above these WLS OUs, then set filters to only apply to the users you want.
So in the case of the Library, you've already created a security group, so you'll grant permissions to that group.
Then you'll need to create a WLS-Faculty security group and do the same with it's GPO.
So the GPOs would be at 'domain level' not in the OU level...Like this?
Then I apply the security groups from there? That makes sense.
Correct. Now any user in the Domain (aka located in any OU), within the security group you created should have the GPO applied.
Side note - I ALWAYS make sure I set security filter BEFORE I enable the GPO. The last thing you want is some user logging in after you save the GPO and getting access to items they should not.
It's funny you mention that...
-
@WLS-ITGuy said in GPO issue:
@Dashrender said in GPO issue:
I would change this up by applying your GPOs to the OU above these WLS OUs, then set filters to only apply to the users you want.
So in the case of the Library, you've already created a security group, so you'll grant permissions to that group.
Then you'll need to create a WLS-Faculty security group and do the same with it's GPO.
So the GPOs would be at 'domain level' not in the OU level...Like this?
Then I apply the security groups from there? That makes sense.
yeah - you could do it at the domain level - I personally wouldn't. I'd make a new OU, and put your WLS-faculity and WLS-Library in that new OU.. then apply your GPOs to that new one you created. But that's just me.