Skip to main content

Group Policy Security Filtering

An administrator can add both computers and users to security groups. Then the administrator can specify which security groups are affected by the GPO by using the Access Control List (ACL) editor. To start the ACL editor, select the Security tab of the property page for the GPO. Then set access permissions using discretionary access control lists (DACLs) to allow or deny access to the GPO by specified groups. By changing the Access Control Entries (ACEs) within the DACL, the effect of any GPO can be modified to exclude or include the members of any security group. For more information about security groups, see How Security Groups are Used in Access Control.

To apply a GPO to a specific group, both the Read and Apply Group Policy ACEs are required. By default, all Authenticated Users have both these permissions set to Allow. Because everyone in an organizational unit is automatically an Authenticated User, the default behavior is for every GPO to apply to every Authenticated User. However, domain administrators, enterprise administrators, and the LocalSystem account already have full control permissions, by default, without the Apply Group Policy ACE. Therefore, because administrators are also Authenticated Users, they too, by default, will receive the policy settings in the GPO. This may not be the appropriate scenario.

There are different methods administrators can use to prevent a GPO policy from applying to a specific group (for example, to administrators). The recommended method is to remove (clear Allow) both the Read and Apply Group Policy ACEs for the group. Another method involves removing the Apply Group Policy ACE for Authenticated Users, and then explicitly granting the permission by checking Allow for the individual security groups that should receive the policy settings. You can also set the Apply Group Policy ACE to Deny for groups of users that do not require the policy.

Warning: A Deny ACE setting for any group takes precedence over any Allow ACE granted to a user or computer as a result of membership in another group. For more information about ACLs, DACLs, and ACEs, see Access Control.

The ACLs associated with a GPO control Security Filtering for that GPO. These ACLs contain a series of ACEs for different security principals (user accounts, computer accounts, security groups and built-in special identities). Here’s how to view the default ACL on a GPO:

  1. Open the Group Policy Management Console (GPMC).
  2. Expand the console tree until you see the Group Policy Objects node.
  3. Select a particular GPO under the Group Policy Objects node.
  4. Select the Delegation tab in the right-hand pane.

If you want to get even more detailed, click on the Advanced button. Clicking on the Advanced button will allow you to view the Apply Group Policy permission that was missing from the Delegation tab. The Delegation tab of a GPO only displays ACEs for security principals that actually process the GPO, which means those secuirty principals have the Apply Group Policy permission set to Allow. If you want a GPO to be processed by a security principal in a container linked to the GPO, there’s a minimum requirement for permissions. Your chosen security principal must have the following permissions to the GPO:

  • Allow Read
  • Allow Apply Group Policy

So how do you filter a GPO to a particular group, user or computer? Well the first thing you want to do is restrict who can apply that GPO. If you navigate to that Delegation tab, you’ll notice that by default Authenticated Users has Allow permission to both Read and Apply group policy permissions.

  1. Click the Advanced button.
  2. Click on Authenticated Users in the Group or user names list.
  3. Scroll down in the Permissions list until you find Apply group policy, and uncheck the Allow box.

Now we need to add the object that you want the GPO to apply to.

  1. Click the Add button.
  2. Enter the object name(s) that you want the group policy to apply to, and click the OK button.
  3. Click on the object(s) that you want to the GPO to apply to in the Group or user names list.
  4. Scroll down in the Permissions list until you find Read, and uncheck the Allow box.
  5. Scroll down in the Permissions list until you find Apply group policy, and uncheck the Allow box.
  6. Click the OK button.

Now when you link that GPO, the GPO will filter and not apply to objects that do not match the criteria you set.

Spread the love!

Scott Forehand

Scott Forehand is an accomplished systems architect, engineer, and administrator with over a decade of experience designing and managing virtual environments, networks, storage and server infrastructures and operations with a proven ability to create and automate solutions to improve productivity, reliability and performance. He has achieved multiple certifications in virtualization, networking, cloud, storage and other technologies, and is honored to be a VMware vExpert in 2018.

VCP6-DCV VCP6-NV VCP6-CMA SCP ZCP