Score:1

Link a GPO to an OU or security group, Who will win?

tr flag
Tom

Here's the scenario: A GPO is linked to an OU to enable, for example, UAC setting. However, since there are certain systems that require UAC to be disabled, there is a GPO that disables these settings. This GPO is linked to a security group. Those systems are member of the specific security group and will still be placed in the OU with the "enabled" settings GPO for UAC.

So which GPO is the winner?

According to my tests, the linked GPO to the OU before the security group always wins. Is there any solution for this problem?

cn flag
That's what precedence is for.It also depends if the GPO is marked as enforced if it's linked at a higher level.
Score:2
us flag

As long as your GPO is not linked to any OU it will not have any effect.

In your case you could do the following:

Link both, Disabling-GPO and Enabling-GPO, to the same OU. In Delegation of Enabling-GPO Allow rad/apply to for example, Authenticated users. In Delegation of Disbaling-GPO Allow read/apply only to your Security Group. Watch for Link Order as Disabling-GPO needs to have the lower number (Prescendence).

What happens with this for Member of the Security Group: Enabling-GPO will be applied first and afterwards Disabling-GPO, leaving the Setting disabled.

If your Setting is for example a registry key in Preferences you could also use a Item-Level trageting by Security Group

Score:0
tr flag
Tom

The solution is to enforce the linked GPO. It will only applied to the objects in the specific security group via security group filtering at the GPO.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.