Announcement

Collapse
No announcement yet.

Security Filtering - Cannot Get To Work

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security Filtering - Cannot Get To Work


    Hi All,

    I have been using Group Policy as a System Admin for many years (back to Server 2003), but I have never had the need to use security filters before now, and I cannot seem to get it to work.

    The DC is SBS2011, and I am running GPMC from a Win10Pro machine (but I get the same results if I log in directly to the DC and set it up from there).

    I am trying to apply a policy to any user that logs into a single specific machine. The settings are User settings.


    *Problem*

    I can get the policy to apply to all users on any machine, but I cannot then get the security filtering to work and apply only when a user logs in to the one machine.


    *Details*

    The policy is linked to the main users group in AD (the OU is called CompanyName).

    I have created a security group (RestrictedInternetMachines) and added the machine to that group.

    The scope shows the location = CompanyName, and Security Filtering = Authenticated Users and RestrictedInternetMachines


    Like this, the policy applies to the users regardless of where they login, and hence applies on their own machines.

    If I remove Authenticated Users from the Security Filtering, and add Authenticated Users to the Delegations (Read Permission), then the policy fails to apply anywhere, including on the machine I want it to.

    I have tried replacing the security group with the machine name itself - no difference.

    I have tried adding 'Apply' permissions to Authenticated users in Delegations, but this adds that group back to the Security Filtering list, and the settings get applied across all machines.


    I must be missing something obvious. From what I have read around the web, I think I am doing it correctly, but obviously not!


    Any help is appreciated.

    Thanks,

    Alan.



  • #2
    Security filtering is not what you want to use for this situation. Since you want user settings to apply only when logging on to a specific computer, you need to apply the policy to the computer and configure loopback processing in the policy.

    1. Put the computer(s) you want the policy applied to in their own OU
    2. Link the policy you created to this OU
    3. Edit the policy to configure loopback processing in either merge (combines existing user policies with the one being applied) or replace (removes all other user policies and only applies this policy) mode https://technet.microsoft.com/en-us/.../cc978513.aspx
    4. In the Security Filtering section, Authenticated Users should be added (this is the default). Any additional groups are superfluous as Authenticated Users includes all users and computers that authenticate.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Hi Jeremy,

      That worked thank you!

      Problem solved now, but are you able to help me understand why my first approach would not work? On the face of it, I was telling the GPO to apply to any user (in the CompanyName OU), but only apply on the one machine, which seems (to me) to make perfect sense even though it wasn't working.

      Thanks,

      Alan.
      Last edited by Alan2016; 3rd August 2016, 02:07. Reason: Edited for spelling mistake

      Comment


      • #4
        GPO applies machine policies when they start up, and user policies are applied when the log in. So the user policies apply last, which means they take precedence. In order for your single machine policy to take precedence, it has to be applied last. And for that, you have to have the loopback turned on. That way, that final machine policy is applied AFTER the user login, and therefore takes precedence. I've also used loopback for machine-specific policies that apply to user, having to do with keyboard lockout times between desks vs conference rooms with projectors. At their desks, the user lockout is a short period of inactivity, while in conf rooms, the same user has a much longer keyboard lockout/screen saver interval so they can concentrate on what's on the screen, and not whether they've moved the mouse in the last few minutes. So any machine with a unique requirement, applying a user-based policy, should have that policy applied thru the use of loopback so it gets applied after a user has logged in.
        *RicklesP*
        MSCA (2003/XP), Security+, CCNA

        ** Remember: credit where credit is due, and reputation points as appropriate **

        Comment


        • #5
          Hi RicklesP,

          Would that mean I could have gotten it to work with my original setup (linked to the CompanyName OU which contains users, security filtered to authenticated users and also the one machine) but I needed to turn on loopback processing under that scenario too?

          Edit: I tried this, but it still failed to work. I created a user settings policy , linked to the CompanyName OU, security filtered to a single machine, removed Authenticated Users from the security filtering, and then added Authenticated Users to the delegations with read access. I also set the loopback processing policy under the computer settings. The policy failed to apply.

          Still not understanding why this setup does not work?

          Thanks,

          Alan.
          Last edited by Alan2016; 4th August 2016, 07:17. Reason: More information

          Comment


          • #6
            Your description of the 'CompanyName' OU says it includes users. But does it also contain computers, particularly the one you want the policy applied to?? If not, then it won't apply to the machine. You may have given the PC the rights to read the GP item, but it isn't in the OU where the policy is applied.
            *RicklesP*
            MSCA (2003/XP), Security+, CCNA

            ** Remember: credit where credit is due, and reputation points as appropriate **

            Comment


            • #7
              Hi,

              Originally posted by RicklesP View Post
              Your description of the 'CompanyName' OU says it includes users. But does it also contain computers, particularly the one you want the policy applied to?? If not, then it won't apply to the machine. You may have given the PC the rights to read the GP item, but it isn't in the OU where the policy is applied.
              Firstly, to state the obvious - my understanding of Group Policy is not great, so I really appreciate your helping me to build my knowledge here.

              To answer your question: the CompanyName OU only contains users - no computers.

              Edit: I should have paid more attention to the difference between read rights and whether a policy is actually applied. For anyone else that follows behind, you can view the actual specific permissions on the delegations tab by clicking on advanced, and note that some groups (or users or computers etc) have the 'read' permission, and others have the 'apply' permission. All of that seems to still be dependent on what (or who) is in the OU (and presumably sub-OUs) where the GPO is being applied (its scope).

              Thanks for your patience RicklesP!

              Alan.
              Last edited by Alan2016; 5th August 2016, 00:54.

              Comment


              • #8
                A simplistic view is really straight-forward: apply computer settings to an OU with desired computers in it, and apply user settings to an OU with desired users in that. Use security filtering and group membership to apply your policy to a subset of computers in the computers OU, same for users. And computer vs user policy applies as I identified earlier in this article. Next you want to read up on the heirarchy of the sequence of policy application: Local, Site, Domain, OU. And finally, loopback on the computers for unique user settings, based on the context of the computer's use or location. Those details should get you through most of your issues.
                *RicklesP*
                MSCA (2003/XP), Security+, CCNA

                ** Remember: credit where credit is due, and reputation points as appropriate **

                Comment

                Working...
                X