Basic Active Directory question

Guest2

Guest2

Guest2

Soldato
Joined
6 May 2009
Posts
20,173
I have been using active directory and group policy for about 3 months now but still do not know the answer to a basic question. I have not needed to know but just thought id ask now.

In Active directory there is a section called 'groups' within this you have other groups. e.g. password policy. Within this group there are members who use the password policy and the group is then assigned to 'member of' under the user properties.

How then is the password policy group linked to the password policy settings?
(Same goes for all the other groups)


Cheers
 
Nanobot said:
Its been a while but I'm sure account related policies only take effect at domain level and not at group level...
Click to expand...

What do you mean? We have the account settings set in the default domain policy

Knubje - So the groups are all like place holders for each object in group policy? Brain has shutdown for the weekend now but will be back on it on monday :)
 
Still finding it hard to work out where groups get the settings from in AD

We have a group called 'Drive Restriction Exceptions' it has around 5 members of our company. This restricts local media drives like USB sticks and cds/dvds. Where in this security group does it look for settings to restrict the drives?

Edit - Think i know now.
In group policy we have a policy for Windows Explorer. If you open the settings for this there is extra registry settings that have been applied (through sysvol \ policies (the windows explorer policy) \ ADM \ system.adm then adding a few custom lines to this with notepad)
If i click in the delegation policy i can see 'Drive Restriction Exceptions' has been denied the policy. Therefore it is just a 'placeholder' in active directory, group policy dishes out all the settings.

So yes, Knubje was correct, but i only learn by clicking around usually :)
 
Ev0 said:
I might be totally missing the point, but the group is just listed in the security filtering for the gpo no?

So thus the gpo will only apply to accounts, or groups, that are in the security filtering tab?
Click to expand...

That would all depend on how you have you security filtering setup. We just have all 'domain users' in the security filtering so it covers everyone who is part of the domain users group.

Then in delegation, deny access to who you do not want to give it to. We just have one policy using one computer in the security filtering. (and the test user)

If you did it your way, it would mean adding a lot of unneeded stuff to security filtering
 
You must log in or register to reply here.
Back
Top Bottom