Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » GP Security Filtering
GP Security Filtering [message #156484] Thu, 18 June 2009 02:09 Go to next message
Anonymous Coward
We have a very flat OU Structure where in there are ~500 Users in the Users OU. We now have a requirement to apply certain policy settings to 3 users in that OU. For just 3 users is it worth having an another OU or should we just group them and put a security filter on the GPO and link it to users OU? which one is a better option?

Will linking the GPO to Users OU which is actually applicable to only 3 users in anyway effect the other 497 users...in terms of login performance etc??
--
Re: GP Security Filtering [message #156486 is a reply to message #156484] Thu, 18 June 2009 02:34 Go to previous messageGo to next message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Howdie!

"Yogi" <Yogi@live.com> wrote in message news:%23sFBNt97JHA.1564@TK2MSFTNGP06.phx.gbl...
We have a very flat OU Structure where in there are ~500 Users in the Users OU. We now have a requirement to apply certain policy settings to 3 users in that OU. For just 3 users is it worth having an another OU or should we just group them and put a security filter on the GPO and link it to users OU? which one is a better option?

Will linking the GPO to Users OU which is actually applicable to only 3 users in anyway effect the other 497 users...in terms of login performance etc??
Whether it is worth or not depends on what other policies are applied and whether further GPOs for smaller user groups are planned. If there aren't other requirements in terms of OU design and you can do that, why not seperate them?

Performance will not be affected if you tweak security filtering right. Clear the "Authenticated Users" out of the security and move the users (prefererrably create a group for these users and use the group) and assign them "Read" and "Apply Group Policy" permission.

If you're going the other way around and deny a certain group of users GP rights, make sure you both deny "Read" and "Apply Group Policy" permission. Denying "Apply..." and leaving "Read" permission for users can affect performance - at least a little.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
--
Re: GP Security Filtering [message #156487 is a reply to message #156486] Thu, 18 June 2009 02:41 Go to previous message
Anonymous Coward
Thanks for your prompt response
"Florian Frommherz [MVP]" <florian@frickelsoft.PLEASELEAVETHISOUT.net> wrote in message news:etPf8797JHA.2456@TK2MSFTNGP02.phx.gbl...
Howdie!

"Yogi" <Yogi@live.com> wrote in message news:%23sFBNt97JHA.1564@TK2MSFTNGP06.phx.gbl...
We have a very flat OU Structure where in there are ~500 Users in the Users OU. We now have a requirement to apply certain policy settings to 3 users in that OU. For just 3 users is it worth having an another OU or should we just group them and put a security filter on the GPO and link it to users OU? which one is a better option?

Will linking the GPO to Users OU which is actually applicable to only 3 users in anyway effect the other 497 users...in terms of login performance etc??
Whether it is worth or not depends on what other policies are applied and whether further GPOs for smaller user groups are planned. If there aren't other requirements in terms of OU design and you can do that, why not seperate them?

Performance will not be affected if you tweak security filtering right. Clear the "Authenticated Users" out of the security and move the users (prefererrably create a group for these users and use the group) and assign them "Read" and "Apply Group Policy" permission.

If you're going the other way around and deny a certain group of users GP rights, make sure you both deny "Read" and "Apply Group Policy" permission. Denying "Apply..." and leaving "Read" permission for users can affect performance - at least a little.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
--
Previous Topic:Re: removing Windows 2008 DC after demotion, time for ntdsutil
Next Topic:Transfer forest root role to another DC?
Goto Forum:
  


Current Time: Wed Oct 18 01:35:20 EDT 2017

Total time taken to generate the page: 0.02857 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software