Written by #xxaxxelxx

GPO | A unixers chronicles

1. GPO is not funny.

2. ALWAYS ADD Authenticated Users to the tab Delegation and grant them readable rights. (RETRIEVE the ‘pull GOP’ right!) (Via Delegation – Expanded view)
Otherwise the following may happen: You add a user/group to the Security Filtering section, they appear in Delegation with all sufficient rights – but computer says ‘NO’: Can’t read for an unknown reason. IMHO thats cs. not the user will read the GOP, but some other (of abt a million) inbuilt account reads and executes the gpo. WTF?

3. Security filtering means: All these objects have Pull this GPO right switched on.

4. Delegation means: Objects have rights to read the GPO.

5. User/group objects ONLY react on GOP settings in the user branch.

6. Computer objects ONLY react on GOP settings in the computer branch.

7. Pull sequence: First computer then user/group branch settings.

8. Removable storage handling is special:

8a. Never use the deny all removable device classes switch. You can’t whitelist some special machines or users afterwards. This feature blocks all and forever.

8b. You have to reboot (WTF2??) the entire machine after changing the rules.

8c. You have to delete (WTF3???) the CDROM and reboot the machine after you allow access via gpo.

8d. Beware: VMware drives may be recognized as removable drives and blocked. (WTF4????)

9. Tools:

rsop.msc
gpresult /z
gpupdate /force

10. Setting some user branch rules for specific users on specific machines only.
Forget Loopback mode – use WMI Filtering instead.

10a. Create a WMI Rule.
Syntax is

 select * from Win32_ComputerSystem where ( Name like 'MACHINE%' or Name =  'SERVERX') and (UserName like 'mueller%' or Username = 'meier' )

10b. You MUST (!!!) add your Users to the WMI’s Delegation block.

10c. Create A GPO object.

10d. Add your users to the security filtering. (Check GPO’s Delegation for ‘Autheticated Users’ read only [switch off GPO pulling!]’)

10e. Switch your WMI-Filter on

10f. There is no need to filter in your WMI string for users like in the example above. Users are filtered by GPO’s ‘Security Filter’ block – filter for machines only.