Announcement

Collapse
No announcement yet.

GPO filtered to security group delivering settings to non-group members

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO filtered to security group delivering settings to non-group members

    I have a W2K3 domain which is at the W2K3 Forrest Functional level.
    There is currently a GPO that is linked to an OU that contains only computer account objects. This GPO is filtered to a specific security group whose members are computer accounts that are located within the linked OU.

    Everything works as it is supposed to until I add the 501st or more member(s) to the security group. Once any members in excess of 500 are added to the filtering group, machines within the OU where the GPO is linked but are not members of the filtering group, begin to receive the settings of the GPO.

    Other odd things that I have noticed: When the 501st or better member is added to the security group the icons next to the names change from the illuminated computer icon to a greyed out user icon. Additionally, I have tested and found that no matter which GPO I link to any OU within the domain, if I filter it by any security group that has more than 500 members, the same behavior is observed. (Machines within the OU that are not members of the filtering group start to receive the settings of the linked GPO)

    To this point, my research has shown that W2K3 domains that are, at minimum, set to at least the interim forrest functional level, are suposed to be able to have security groups be able to be populated with "theoretically unlimited" amounts of members. This seems to indicate that my issue with more than 500 members should "not" be an issue, at least according to MS.

    If I can provide any more information which might assist in the efforts to help me, please let me know.

    Thanks

  • #2
    Re: GPO filtered to security group delivering settings to non-group members

    Just for the time being, have you tried creating another security group for the computers that push it over 500? It may resolve your issue while you await possible causes or reasons why.

    Comment


    • #3
      Re: GPO filtered to security group delivering settings to non-group members

      I tried this even before I posted here. Basically, any security group that I create and add more than 500 members exhibits the same behaviors that I previously described.

      Comment


      • #4
        Re: GPO filtered to security group delivering settings to non-group members

        I meant to create additional security groups and add up to 500 computers and then create another one. In effect, you then have 2 + security groups locking down the GPO but hopefully, will work for the time being and a quick fix to the issue whilst further investigation is carried out.

        Comment


        • #5
          Re: GPO filtered to security group delivering settings to non-group members

          Ahh, I misunderstood your suggestion. Yes, this is a work around however the model kind of breaks down with the amount of work that would be required to make this work. I need to put around 8000 +/- machines into the group. While I can make and insert nested groups as members, this would have me making around 16 or so groups to nest. Conversely, I can just add 16 groups of 500 members each to the filtering list for the GPO as you suggest. Either way would work, it just ain't pretty.

          Thanks

          Comment


          • #6
            Re: GPO filtered to security group delivering settings to non-group members

            8000+ is not a nice thought. I think you can add them in bulk using AD's GUI, so hopefully won't take long. Let us know how you get on.

            Comment


            • #7
              Re: GPO filtered to security group delivering settings to non-group members

              IMHO, look at your OU structure and see if you can do it a different way to avoid filtering.
              GPO security filtering always seems like a messy work around where there should be a more elegant solution!
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Re: GPO filtered to security group delivering settings to non-group members

                Unfortunately, I have no alternative but to use security group filtering, it's being dictated by corporate. I know that I can work around the issue but the objective here is to try to come to grips with why the security group is causing the weirdness after 500 members. As I stated before, as of W2K3 and at least interim Forrest Functional level, security groups are, according to MS, able to have literally "unlimited" amounts of members. Heck, even in Win2k domains the limit was in the 5000 members neighborhood. This is really baffling me.

                Comment

                Working...
                X