Share via

Seeking Help on GPO applicationsof Ad Group Sever Access

Anonymous
2024-05-30T08:51:29+00:00

I am making changes to access to servers I help managed. At the moment, AD groups are controlled by Restricted Groups in the Computer Configuration > Windows Settings > Security Settings > Restricted Groups area of GPO.

I wish to maintain some of these groups only for the admin side and ma making geneal user now conditional on server names.

For this, I have applied settings under Computer Configuration > preferences > Control Panel and applied Item-Level targets.

Regardless of the item level targets or removing them, the groups I ask GPO to apply are just not being applied.

I am at wits end wondering why the direct way of adding AD groups under GPO works but tthe Control pnael section refuses to add anything I supply.

Is there another setting that I need to control to allow AD groups to be added from the 2 ways GPO allows ?

Help would be appreciated before I lose more hair from tearing it out.

Thank you

Clint

Windows Server Accessibility

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-05-30T21:51:25+00:00

    Hello,

    For the permissions to manage users and groups in Active Directory and GPO, you can check the following points:

    1. First, make sure you have sufficient permissions to modify and apply GPO. In addition, you also need to make sure that the members of the AD group have sufficient permissions to receive and apply GPO. General steps: Open AD Manager and select "Advanced Features" from "View" on the toolbar. Right-click the group you want to check, select "Properties", then select the "Security" tab, and click "Advanced" at the bottom. In the "Advanced" window, select the user or group you want to view, and click "View Effective Access" to view the effective permissions of the user or group in the AD group.
    2. Check the order in which GPOs are applied. The order in which GPOs are applied may affect the application of settings. By default, GPOs are processed in the order of local GPOs, site GPOs, domain GPOs, and organizational unit GPOs. If multiple GPOs are applied to the same object, the later applied GPO will overwrite the earlier applied GPO.
    3. Double-check your configuration of GPOs and AD groups to make sure they are correct.
    4. It takes some time for policy changes to take effect on the target machine. You can use the gpupdate /force command to force an immediate policy refresh.

    References:

    Appendix B - Privileged Accounts and Groups in Active Directory | Microsoft Learn

    Group Policy processing for Windows | Microsoft Learn

    We value your feedback, click Yes or No to help us improve the support experience.

    Best regards,

    Jacen Wang

    0 comments