Prevent members of a group from applying a GPO
Assign Security Group Filters to the GPO
Article
12/09/2022
2 minutes to read
9 contributors
Applies to:
✅ Windows 10, ✅ Windows 11, ✅ Windows Server 2016, ✅ Windows Server 2019, ✅ Windows Server 2022
To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO.
Important
This deployment guide uses the method of adding the Domain Computers group to the membership group for the main isolated domain after testing is complete and you are ready to go live in production. To make this method work, you must prevent any computer that is a member of either the boundary or encryption zone from applying the GPO for the main isolated domain. For example, on the GPOs for the main isolated domain, deny Read and Apply Group Policy permissions to the membership groups for the boundary and encryption zones.
Administrative credentials
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the relevant GPOs.
In this topic:
Allow members of a group to apply a GPO
Prevent members of a group from applying a GPO
To allow members of a group to apply a GPO
Use the following procedure to add a group to the security filter on the GPO that allows group members to apply the GPO.
Open the Group Policy Management console.
In the navigation pane, find and then click the GPO that you want to modify.
In the details pane, under Security Filtering, click Authenticated Users, and then click Remove.
Note
You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify. If the GPO contains User settings, and the Authenticated Users group is removed, and new security filtering is added using a security group that only contains user accounts, the GPO can fail to apply. Details and various workarounds are mentioned in this Microsoft blog.
Click Add.
In the Select User, Computer, or Group dialog box, type the name of the group whose members are to apply the GPO, and then click OK. If you do not know the name, you can click Advanced to browse the list of groups available in the domain.
To prevent members of a group from applying a GPO
Use the following procedure to add a group to the security filter on the GPO that prevents group members from applying the GPO. This is typically used to prevent members of the boundary and encryption zones from applying the GPOs for the isolated domain.
Open the Group Policy Management console.
In the navigation pane, find and then click the GPO that you want to modify.
In the details pane, click the Delegation tab.
Click Advanced.
Under the Group or user names list, click Add.
In the Select User, Computer, or Group dialog box, type the name of the group whose members are to be prevented from applying the GPO, and then click OK. If you do not know the name, you can click Advanced to browse the list of groups available in the domain.
Select the group in the Group or user names list, and then select the box in the Deny column for both Read and Apply group policy.
Click OK, and then in the Windows Security dialog box, click Yes.
The group appears in the list with Custom permissions.
Recommended content
Loopback processing of Group Policy - Windows Server
This article describes why you need to enable loopback processing for Group Policy.
Copy a GPO to Create a New GPO (Windows)
Learn how to make a copy of a GPO by using the Active Directory Users and devices MMC snap-in to create a GPO for boundary zone devices.
Permissions for this GPO are inconsistent - Windows Server
Describes a permissions issue that occurs when you run Group Policy Management Console in a Windows 2008 or Windows Server 2003 domain. A resolution is provided.
Create a Group Policy Object (Windows)
Learn how to use the Active Directory Users and Computers MMC snap-in to create a GPO. You must be a member of the Domain Administrators group.
No comments:
Post a Comment