gpo security filtering dereks 12/19/2008 8:01:03 PM I am applying a GPO to an OU with server computer accounts for windows updates (WSUS) only. I want to exclude two of the server machines so I created a security group with the servers I want windows updates applied to and added that group to the GPO security filter. I removed the default "authenticated users" group from security filtering. What happened was I initially got an "inaccessible" error for the gpo, so I delegated the permissions of "read" and "apply group policy" to the authenticated users group. Now the servers are showing up in WSUS, but the machines in the OU that I excluded from the security group are also getting the policy and showing up. It as though the security group has no effect. Any assistance appreciated.

Re: gpo security filtering "Lanwench [MVP - Exchange]" <lanwench[ at ]heybuddy.donotsendme.unsolicitedmailatyahoo.com> 12/20/2008 3:07:03 AM dereks wrote: [Quoted Text] > I am applying a GPO to an OU with server computer accounts for windows > updates (WSUS) only. I want to exclude two of the server machines so > I created a security group with the servers I want windows updates > applied to and added that group to the GPO security filter. I > removed the default "authenticated users" group from security > filtering. Rather than remove it did you try to just untick "apply group policy" ? > > What happened was I initially got an "inaccessible" error for the > gpo, so I delegated the permissions of "read" and "apply group > policy" to the authenticated users group. Now the servers are > showing up in WSUS, but the machines in the OU that I excluded from > the security group are also getting the policy and showing up. It as > though the security group has no effect. > > Any assistance appreciated. what do you see in rsop.msc on one of the problem servers?

Re: gpo security filtering dereks 12/20/2008 5:19:00 AM Thanks for your reply- I read that a gpo applies to all of the objects in the OU, so if I have an OU of computer objects and create a security group and add a subset of the computers from the OU to the group and then apply that group as a security filter intending it to exclude the other computers in the OU, it won't filter out the other computers because they are in the same OU. Does this sound correct? I did test just unticking the "apply group policy" from the authenticated users group permissions, but it the rsop on the servers then gave me an "access denied" error. If I leave off the security group of computer objects and add authenticated users will this gpo apply to any outside users or only the computer objects in the OU? "Lanwench [MVP - Exchange]" wrote: [Quoted Text] > dereks wrote: > > I am applying a GPO to an OU with server computer accounts for windows > > updates (WSUS) only. I want to exclude two of the server machines so > > I created a security group with the servers I want windows updates > > applied to and added that group to the GPO security filter. I > > removed the default "authenticated users" group from security > > filtering. > > Rather than remove it did you try to just untick "apply group policy" ? > > > > What happened was I initially got an "inaccessible" error for the > > gpo, so I delegated the permissions of "read" and "apply group > > policy" to the authenticated users group. Now the servers are > > showing up in WSUS, but the machines in the OU that I excluded from > > the security group are also getting the policy and showing up. It as > > though the security group has no effect. > > > > Any assistance appreciated. > > what do you see in rsop.msc on one of the problem servers? > > >

Re: gpo security filtering "Florian Frommherz [MVP]" <florian[ at ]frickelsoft.DELETETHIS.net> 12/20/2008 2:38:57 PM Derek, dereks wrote: [Quoted Text] > I read that a gpo applies to all of the objects in the OU, so if I have an > OU of computer objects and create a security group and add a subset of the > computers from the OU to the group and then apply that group as a security > filter intending it to exclude the other computers in the OU, it won't filter > out the other computers because they are in the same OU. Does this sound > correct? It does. You can put a subset of the computers that belong to the OU into a security group and deny that security group "Apply Group Policy" and "Read" permission. Those computers won't apply the GP then. > I did test just unticking the "apply group policy" from the authenticated > users group permissions, but it the rsop on the servers then gave me an > "access denied" error. unticking "Apply Group Policy" from authenticated users would result in no machine being able to apply the GP. The "Access denied" error is however a problem with your credentials on the servers, I guess. That shouldn't be related to unticking the permission, if I understand you correct. > If I leave off the security group of computer objects and add authenticated > users will this gpo apply to any outside users or only the computer objects > in the OU? It only applies to the targets in the OU - no matter what security groups you add in the security tab of the policy. You can only filter down the targets that already are in the OU, you can't add new ones like this. cheers, Florian -- Microsoft MVP - Group Policy eMail: prename [at] frickelsoft [dot] net. blog: http://www.frickelsoft.net/blog. Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste