Group Policy Rule


Keep the following rules in mind before you apply the Group Policies:

1. Group Policies can be applied to AD-Leaf objects such as users and computers but NOT security or distribution Group.

2. Users and Computers MUST reside in the OU where you have configured Group Policy.

3. Group Policies can use GROUPS to filter the scope of policy settings.

4. By default Group Policies are applied to the following groups:

Authenticated Users                                        

5. If the security properties are default….then Group Policy settings should apply to administrators or you because by default when you create a GPO the following Security Settings permissions are set:
*Apply Group Policy* and *Read* Permission to the following Groups:-

Authenticated Users                                        
Domain Admins                                            
Enterprise Admins

5. Group Policy processing depends on Client-Side-Extensions stored in
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPTExtensions << all GUID listed for Client-Side-Extensions.

CSCs are used to process GPOs from Domain Controller. Winlogon.exe will capture a list of GPOs.

As per M$ recommendation you should remove *Authenticated Users* group and create a new Group > add all members to this group and use FILETERING technique. Now generally what happens all user objects are member of

Authenticated Users Group and the settings are mixed because from Domain Level to………child OU the settings are applied to Authenticated Users Group………so for example :-

If you have configured anything in the parent OU and also configured in Child OU…and all users are member of Authenticated Users Group….settings are meesed up and then Group Policy rule is applied:

Policy Settings at Parent OU                  Policy Settings at Child OU                    Result
If NOT Configured                                    If Configured                                       Child’s setting applied
If Configured                                           If Configured and Do not conflict            Both Settings
If Configured                                           If Configured and Conflicts                    Child’s setting applied
If Configured                                           If Not Configured                                  Parent’s Setting applied
If NOT Configured                                    If Not Configured                                  No Settings (This is default)

Leave a Reply

Your email address will not be published. Required fields are marked *