Cloud

Group Policy Object filtering by security group

In this quick tip, IT pro Rick Vanover shows how you can use filtering to apply Group Policy Objects to a computer or user account.

The Organizational Unit (OU) structure of an Active Directory domain is critically important; it is a delicate balance between full-service central management, flexibility, and a simple, intuitive layout. And yet, there are some settings that may need to be applied globally to users or computer accounts that exist in a number of different OUs.

With a little work upfront, administrators can create Group Policy Objects (GPOs) for an OU or the entire domain but only apply it to users or computers that are members of a security group. This can be especially valuable for computer and user accounts that have configuration requirements that do not align to the OU structure. The process is the same for a computer or user account, but this is a good first step to separate filtering for each type.

In my personal lab, I have two GPOs at the top of the domain that would execute for all objects in the domain but separated by computer and user accounts. Figure A shows these two GPOs at the root of the domain. Figure A

There are a number of best practices you could apply that would not involve top level GPOs, but for the scope of the filtering example, the top of domain will be used. The simplest best practice would be to place all users in one top level OU and all computer accounts in another top level OU; then the GPOs for each type would reside in the respective OU.

The example also shows a self-documenting object name. In the example above, the GPOs are named Filter-GPO-ComputerAccounts and Filter-GPO-UserAccounts; this denotes that they are filtered GPOs, and the groups that have the filters applied are the GPO-ComputerAccounts and GPO-UserAccounts groups -- again, self-documenting. See the corresponding security groups in Figure B. Figure B

Click the image to enlarge.

The GPO-ComputerAccounts group is a security group with two computer accounts in it. Like user accounts, computer accounts can be members of a security group.

With the OU and the security group defined, you can configure the filters to apply a GPO only to members of the group. The first step is to remove the default Authenticated Users (read) security item for the GPO. The item to be removed is shown in Figure C. Figure C

Click the image to enlarge.
Once the default read and apply permission from Authenticated Users is removed, the security group is added to the security tab of the GPO, and the read and apply permissions are applied. Figure D shows this being configured for the GPO-ComputerAccounts group for the Filter-GPO-ComputerAccounts GPO. Figure D

Click the image to enlarge.

Note the Advanced button highlighted at the bottom; if the security is configured after the GPO is created, the Advanced button contains the area to add the apply group policy permission entity. At that point, the GPO is ready to be issued to the security groups.

How do you use GPO filtering? I can think of a number of ways it can be beneficial, although it also risky if over-utilized. Share your strategies in the forums.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

5 comments
andrew
andrew

Hey there, thank you for your article. I used the same procedure to apply a Gp using security filtering with a Security Group. I have made myself a member of the security group, I have added the Security Group and given it read, and apply gp permissions to the gp scope. I have removed the apply permissions for the Authenticated Users group. After i do my gp update etc and gpresult, i see that there is an access denied issue. However if i explicitly add my user account and give it read and apply permissions to the GP scope it works fine. Can you help me troubleshoot why i am getting access denied when applying it to the group that i am a member of?

psutsos
psutsos

This is a great method and thank you for going over it simply with good pictures. This method is taught in Microsoft's own Windows 2008 classes and is an important concept since you can't have an OU for everything and OU's should be ordered by delegation. Sometimes, it makes sense for a GPO to apply to a security group. We do this for our "test computers" as their security group is allowed by a GPO. This "Test Group" GPO only depends on member workstations in the group, not entirely based on OU inhertiance.

remymaza
remymaza

I'd like to know the threshold for too much filtering. Also, I know you get a performance hit if too many GPO's are enforced. Is there a quantifiable number for what is too much?

Derek Schauland
Derek Schauland

I am not sure you will see a huge performance hit for enforcing GPOs. I imagine if you enforced thousands of them you might, but spread across domain controllers, even that shouldnt be an issue. Since Windows and AD do not limit groups (as far as I know) there shouldnt be any limitation as far as filtering. I guess the only thing to watch for would be cases when you have more filters than are useful, best fix for that is extremely good documentation of your GPOs and their usage.

b4real
b4real

There are too many factors: -Bandwidth -Number of domain controllers -Number of computer accounts -Complexity of configuration As a general rule, things get hairy ONLY when you use Active Directory to push some major bits - Such as a software installation package. Then enterprise system management is the way to go.