Announcement

Collapse
No announcement yet.

GPO assigned to Authenticated Users - Does this cover the DC's too?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO assigned to Authenticated Users - Does this cover the DC's too?

    Hi all,

    First post. I've scanned through many posts however I've not managed to find out the answer to this.

    When creating a fresh GPO in a server 2003 environment, by default the group added is 'Autheticated Users'. Now, I then wanted to take a look and see if the GPO had applied. It came up that it was not and that the reason was due to filtering.

    I am logged in as an Administrator user and when I log onto another server, the GPO DOES get applied. This other server is not a DC however.

    So, my question is: if you create a GPO and leave it with the defaults i.e. the entire domain and authenticated users, does this not include the Domain controllers or is it more likely that another permission is overuling things.

  • #2
    Re: GPO assigned to Authenticated Users - Does this cover the DC's too?

    It will affect DCs if their computer accounts are located somewhere in the tree below the domain or OU the GPO is applied to. DCs should all be in the Domain Controllers OU - for a GPO to apply to DCs it must be linked either to the domain or to the Domain Controllers OU.
    Gareth Howells

    BSc (Hons), MBCS, MCP, MCDST, ICCE

    Any advice is given in good faith and without warranty.

    Please give reputation points if somebody has helped you.

    "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

    "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

    Comment


    • #3
      Re: GPO assigned to Authenticated Users - Does this cover the DC's too?

      Here's what I find when running gpresults against my Domain Administrator on my DC. My DC computer account is in the Domain Controllers container and my Domain Administrator user account is in the Users container.

      Computer Configuration GP applied: Default Domain Policy & Default Domain Controllers Policy

      User Configuration GP applied: Default Domain Policy

      You have to remember that user and computer accounts are two different things. If you create a GPO that has user settings configured and your Domain Administrator logs on to a computer where the GPO is linked then the user settings will be applied to the Domain Administrator.

      So, if you have an OU where a computer account is, and you have a GPO that has user settings defined linked to that OU, and you do not use any custom security filtering on the GPO (Authenticated Users are filtered by default), then the settings are going to be applied to your Domain Administrator.

      Comment


      • #4
        Re: GPO assigned to Authenticated Users - Does this cover the DC's too?

        Thanks a lot for the replies folks! I get it now.

        Comment

        Working...
        X