9.14. Applying a Security Filter to a GPO

Problem

You want to configure a GPO so that it applies only to members of a particular security group.

Solution

Using a graphical user interface

  1. Open the GPMC snap-in.

  2. In the left pane, expand the Forest container, expand the Domains container, browse to the target domain, and expand the Group Policy Objects container.

  3. Click on the GPO you want to modify.

  4. In the right pane under Security Filtering, click the Add button.

  5. Use the Object Picker to select a group and click OK.

  6. Highlight Authenticated Users and click the Remove button.

  7. Click OK to confirm.

Using a command-line interface

> setgpopermissions.wsf "<GPOName>" "<GroupName>" /permission:Apply
> setgpopermissions.wsf "<GPOName>" "Authenticated Users" /permission:None

Using VBScript

' This code adds a security group filter permission to a GPO
' and removes the Authenticated Users filter permission.
' ------ SCRIPT CONFIGURATION ------
strGPO         = "<GPOName>"        ' e.g. Sales GPO
strDomain      = "<DomainDNSName>"  ' e.g. rallencorp.com
strGroupAdd    =  "<GroupName>" ' e.g. SalesUsers strGroupRemove = "Authenticated Users" ' ------ END CONFIGURATION --------- set objGPM = CreateObject("GPMgmt.GPM") set objGPMConstants = objGPM.GetConstants( ) ' Initialize the Domain object set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC) ' Find the specified GPO set objGPMSearchCriteria = objGPM.CreateSearchCriteria objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _ objGPMConstants.SearchOpEquals, ...

Get Active Directory Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial