Recipe 9.14 Applying a Security Filter to a GPO

9.14.1 Problem

You want to configure a GPO so that it applies only to members of a particular security group.

9.14.2 Solution Using a graphical user interface
  1. Open the GPMC snap-in.

  2. In the left pane, expand the Forest container, expand the Domains container, browse to the target domain, and expand the Group Policy Objects container.

  3. Click on the GPO you want to modify.

  4. In the right pane under Security Filtering, click the Add button.

  5. Use the Object Picker to select a group and click OK.

  6. Highlight Authenticated Users and click the Remove button.

  7. Click OK to confirm. Using a command-line interface
> setgpopermissions.wsf "<GPOName>" "<GroupName>" /permission:Apply > setgpopermissions.wsf "<GPOName>" "Authenticated Users" /permission:None Using VBScript
' This code adds a security group filter permission to a GPO ' and removes the Authenticated Users filter permission. ' ------ SCRIPT CONFIGURATION ------ strGPO         = "<GPOName>"        ' e.g. Sales GPO strDomain      = "<DomainDNSName>"  ' e.g. strGroupAdd    =  "<GroupName>"     ' e.g. SalesUsers strGroupRemove =  "Authenticated Users" ' ------ END CONFIGURATION --------- set objGPM = CreateObject("GPMgmt.GPM") set objGPMConstants = objGPM.GetConstants( )    ' Initialize the Domain object set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC) ' Find the specified GPO set objGPMSearchCriteria = objGPM.CreateSearchCriteria objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _                          objGPMConstants.SearchOpEquals, cstr(strGPO) set objGPOList = objGPMDomain.SearchGPOs(objGPMSearchCriteria) if objGPOList.Count = 0 then    WScript.Echo "Did not find GPO: " & strGPO    WScript.Echo "Exiting."    WScript.Quit elseif objGPOList.Count > 1 then    WScript.Echo "Found more than one matching GPO. Count: " & _                 objGPOList.Count    WScript.Echo "Exiting."    WScript.Quit else    WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName end if ' Get permission objects to Apply GPO set objGPMPerm1 = objGPM.CreatePermission(strGroupAdd, _                          objGPMConstants.PermGPOApply, False) set objGPMPerm2 = objGPM.CreatePermission(strGroupRemove, _                          objGPMConstants.PermGPOApply, False) ' Get the existing set of permissions on the GPO set objSecurityInfo = objGPOList.Item(1).GetSecurityInfo( ) ' Add the new permission objSecurityInfo.Add objGPMPerm1 ' Remove Authenticate users objSecurityInfo.Remove objGPMPerm2 on error resume next ' Apply the permission to the GPO objGPOList.Item(1).SetSecurityInfo objSecurityInfo if Err.Number <> 0 then    WScript.Echo "There was an error setting the security filter."    WScript.Echo "Error: " & Err.Description else            WScript.Echo "Added Apply permission for group " & strGroupAdd    WScript.Echo "Removed Apply permission for group " & strGroupRemove end if

9.14.3 Discussion

Creating a security filter for a GPO consists of granting a specific group the Apply Group Policy permission on the ACL of the GPO. By default, Authenticated Users are granted the Apply Group Policy right on all new GPOs, so you will also need to remove this right if you want to restrict the GPO to only be applied to members of another group.

Avoid using "Deny" as part of the security filter because it can lead to confusion with accounts that have membership of groups with conflicting filter settings. For example, if a user is a member of a group that has "Deny" set in the filter and is also a member of a group that is allowed to apply the policy, the Deny setting will always win. This can be difficult to troubleshoot.

Be very careful when changing permissions on GPOs. If you create a very restricted GPO and apply a security filter to it, put tight controls on who can modify the GPO and how. If for some reason that security filter was removed (resulting in no security filters), the restrictive GPO could be applied to every user or computer in the domain. Using VBScript

First, I have to find the target GPO. I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section. I use an if elseif else conditional statement to ensure that only one GPO is returned. If none or more than one were returned, I abort the script. If only one GPO is returned, I create two GPM.CreatePermission objects for the group I want to add as a security filter and for the Authenticated Users group. Next, I use the GPMGPO.GetSecurityInfo to retrieve the current ACL on the GPO. Finally, I add the permission to the ACL for group I want as the new security filter, and I remove the permission for Authenticated Users.

9.14.4 See Also

MSDN: GPM.CreatePermission and MSDN: GPMGPO.GetSecurityInfo

Active Directory Cookbook
Active Directory Cookbook, 3rd Edition
ISBN: 0596521103
EAN: 2147483647
Year: 2006
Pages: 456

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: