Security filtering

- [Instructor] One aspect of group policy management that some administrators find to be a little bit tricky, is figuring out how to get the group policy object settings to apply to the exact users and computers that they want them to. So we know that by default we go ahead and we take GPO's, and we link them to our containers. We have our demo first GPO, and it's linked to the Chicago container. So that means that the settings are going to apply to all the users and computers inside that Chicago container. But beyond that, we have an additional form of filtering called security filtering. So here in group policy management on my domain controller, So here in group policy management on my domain controller, again, I'm highlighted on, I can use any GPO to demo this, again, I'm highlighted on, I can use any GPO to demo this, but I'm just going to use the demo first GPO but I'm just going to use the demo first GPO inside the Chicago container. inside the Chicago container. And you'll notice that on the right hand side, And you'll notice that on the right hand side, in the middle, we have security filtering. in the middle, we have security filtering. Where it says the settings in this GPO can only apply Where it says the settings in this GPO can only apply to the following groups, users, and computers. to the following groups, users, and computers. And the default is authenticated users. And the default is authenticated users. Which is essentially everyone. Which is essentially everyone. And it's everyone within And it's everyone within the Chicago organization unit, right? the Chicago organization unit, right? So, just to be very clear, first we're taking the container, So, just to be very clear, first we're taking the container, and then we're further filtering from within. and then we're further filtering from within. So, there's two different ways we can approach this. So, there's two different ways we can approach this. One, would be to apply only to a specific group, One, would be to apply only to a specific group, and that's where we set it up here in security filtering. and that's where we set it up here in security filtering. Instead of authenticated users, Instead of authenticated users, let me go ahead and click on add, let me go ahead and click on add, and I'm going to type in, I'll just type in C-U-S-T, and I'm going to type in, I'll just type in C-U-S-T, and check names, there we go, customer service users and check names, there we go, customer service users is a group that I have created in my environment. is a group that I have created in my environment. Click OK. Click OK. And them I'm going to take my authenticated users, And them I'm going to take my authenticated users, and remove them. and remove them. Yes, I OK to removing them. Yes, I OK to removing them. Now, you'll see here that there's a warning talking about Now, you'll see here that there's a warning talking about how group policy requires each computer account to have how group policy requires each computer account to have permissions to read the GPO data from the domain controller, permissions to read the GPO data from the domain controller, in order for the user group policy settings in order for the user group policy settings to be successfully applied. to be successfully applied. Removing this group may prevent certain processing. Removing this group may prevent certain processing. So I'm going to say okay. So I'm going to say okay. We know what we're doing here. We know what we're doing here. By adding a group and removing the authenticated users, By adding a group and removing the authenticated users, we've now made it that even within the Chicago container, we've now made it that even within the Chicago container, we're only going to apply this GPO we're only going to apply this GPO to the customer service users. to the customer service users. So that's one form of filtering. So that's one form of filtering. Now, we can also do the opposite, Now, we can also do the opposite, which is where we can say which is where we can say apply to all users in the container, apply to all users in the container, except for a certain group. except for a certain group. So, in order to do that, let me go ahead and add, So, in order to do that, let me go ahead and add, I'm going to type in auth, check names, I'm going to type in auth, check names, and we want to make sure that we get, yeah, here we go, and we want to make sure that we get, yeah, here we go, authenticated users, get them put back in, authenticated users, get them put back in, and remove customer service. and remove customer service. Alright, there we go. Alright, there we go. So now everything's back the way it was. So now everything's back the way it was. Now it's applying to all authenticated users. Now it's applying to all authenticated users. If I wanted, now, make an exception, If I wanted, now, make an exception, a group that it's not going to apply to, a group that it's not going to apply to, then I need to come up here to the delegation tab. then I need to come up here to the delegation tab. Now this delegation tab Now this delegation tab will actually have a number of things to do with will actually have a number of things to do with different delegated authority over, different delegated authority over, certain groups having authority certain groups having authority over what they can do with GPO's. over what they can do with GPO's. But what I want to do But what I want to do is come down to the lower hand corner here, is come down to the lower hand corner here, and click on advanced. and click on advanced. And this then, opens up your typical security, And this then, opens up your typical security, if you've looked at NTFS security, if you've looked at NTFS security, or shared security, or really any security settings, or shared security, or really any security settings, it's the typical security tab that we'd it's the typical security tab that we'd find on any properties. find on any properties. And we have our access control list, And we have our access control list, and then we have our settings. and then we have our settings. So if I click on authenticated users, So if I click on authenticated users, you will see that you will see that there are two settings that must be applied, there are two settings that must be applied, in order to allow this group policy object in order to allow this group policy object to work for this group. to work for this group. First would be read. First would be read. You have to be able to read the group policy object. You have to be able to read the group policy object. But then if I scroll down just a little bit, But then if I scroll down just a little bit, you have to be able to allow apply group policy. you have to be able to allow apply group policy. So if I want to make it So if I want to make it that it applies to all authenticated users, that it applies to all authenticated users, except for a certain group, except for a certain group, then we're going to go ahead and add that group, then we're going to go ahead and add that group, and I'll just go ahead and type in C-U-S-T and I'll just go ahead and type in C-U-S-T for my customer service users again. for my customer service users again. And now my customer service users, And now my customer service users, I'm going to deny the applying of group policy, I'm going to deny the applying of group policy, and if you know anything about how settings work, and if you know anything about how settings work, you know that deny always overrides allow. you know that deny always overrides allow. you know that deny always overrides allow. Which means now Which means now Which means now it'll be allowed for all authenticated users, it'll be allowed for all authenticated users, it'll be allowed for all authenticated users, except for customer service users where it is denied. except for customer service users where it is denied. except for customer service users where it is denied. If I click OK, gives me a warning, If I click OK, gives me a warning, If I click OK, gives me a warning, cause, says, hey, deny is very powerful, cause, says, hey, deny is very powerful, cause, says, hey, deny is very powerful, say, yep, I know what I'm doing. say, yep, I know what I'm doing. say, yep, I know what I'm doing. And there you go. And there you go. And there you go. Now, it will apply to all authenticated users Now, it will apply to all authenticated users Now, it will apply to all authenticated users in the Chicago organizational unit, in the Chicago organizational unit, in the Chicago organizational unit, except for if they are a member except for if they are a member except for if they are a member of the customer service users group. of the customer service users group. of the customer service users group. And that is how you can use security filtering And that is how you can use security filtering And that is how you can use security filtering to help have better control over the users, to help have better control over the users, to help have better control over the users, and computers in which you have GPO's applied to. and computers in which you have GPO's applied to. and computers in which you have GPO's applied to.