Link a GPO to an OU or security group, Who will win?

Tom

11/1/22, 8:12 AM

Here's the scenario: A GPO is linked to an OU to enable, for example, UAC setting. However, since there are certain systems that require UAC to be disabled, there is a GPO that disables these settings. This GPO is linked to a security group. Those systems are member of the specific security group and will still be placed in the OU with the "enabled" settings GPO for UAC.

So which GPO is the winner?

According to my tests, the linked GPO to the OU before the security group always wins. Is there any solution for this problem?

269

2 + 1

active-directory

group-policy

organizational-unit

security-groups

Greg Askew

11/1/22, 10:06 AM

That's what precedence is for.It also depends if the GPO is marked as enforced if it's linked at a higher level.

Score:2

Server

Manu

11/1/22, 1:55 PM

As long as your GPO is not linked to any OU it will not have any effect.

In your case you could do the following:

Link both, Disabling-GPO and Enabling-GPO, to the same OU. In Delegation of Enabling-GPO Allow rad/apply to for example, Authenticated users. In Delegation of Disbaling-GPO Allow read/apply only to your Security Group. Watch for Link Order as Disabling-GPO needs to have the lower number (Prescendence).

What happens with this for Member of the Security Group: Enabling-GPO will be applied first and afterwards Disabling-GPO, leaving the Setting disabled.

If your Setting is for example a registry key in Preferences you could also use a Item-Level trageting by Security Group

0 + 0

Score:0

Server

Tom

11/22/22, 9:09 AM

The solution is to enforce the linked GPO. It will only applied to the objects in the specific security group via security group filtering at the GPO.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Link a GPO to an OU or security group, Who will win?

TH: เชื่อมโยง GPO กับ OU หรือกลุ่มรักษาความปลอดภัย ใครจะชนะ

RO: Conectați un GPO la un OU sau un grup de securitate, Cine va câștiga?

RU: Свяжите объект групповой политики с подразделением или группой безопасности. Кто победит?

VI: Liên kết GPO với OU hoặc nhóm bảo mật, Ai sẽ thắng?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.