Recipe 9.14 Applying a Security Filter to a GPO

9.14.1 Problem

You want to configure a GPO so that it applies only to members of a particular security group.

9.14.2 Solution Using a graphical user interface
  1. Open the GPMC snap-in.

  2. In the left pane, expand the Forest container, expand the Domains container, browse to the target domain, and expand the Group Policy Objects container.

  3. Click on the GPO you want to modify.

  4. In the right pane under Security Filtering, click the Add button.

  5. Use the Object Picker to select a group and click OK.

  6. Highlight Authenticated Users and click the Remove button.

  7. Click OK to confirm. Using a command-line interface
> setgpopermissions.wsf "<GPOName>" "<GroupName>" /permission:Apply
> setgpopermissions.wsf "<GPOName>" "Authenticated Users" /permission:None Using VBScript
' This code adds a security group filter permission to a GPO
' and removes the Authenticated Users filter permission.
strGPO         = "<GPOName>"        ' e.g. Sales GPO
strDomain      = "<DomainDNSName>"  ' e.g.
strGroupAdd    =  "<GroupName>"     ' e.g. SalesUsers
strGroupRemove =  "Authenticated Users"
' ------ END CONFIGURATION ---------

set objGPM = CreateObject("GPMgmt.GPM")
set objGPMConstants = objGPM.GetConstants( )
' Initialize the Domain object
set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC)

' Find the specified GPO
set objGPMSearchCriteria = objGPM.CreateSearchCriteria
objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _
                         objGPMConstants.SearchOpEquals, cstr(strGPO)
set objGPOList = objGPMDomain.SearchGPOs(objGPMSearchCriteria)
if objGPOList.Count = 0 then
   WScript.Echo "Did not find GPO: " & strGPO
   WScript.Echo "Exiting."
elseif objGPOList.Count > 1 then
   WScript.Echo "Found more than one matching GPO. Count: " & _
   WScript.Echo "Exiting."
   WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName
end if

' Get permission objects to Apply GPO
set objGPMPerm1 = objGPM.CreatePermission(strGroupAdd, _
                         objGPMConstants.PermGPOApply, False)
set objGPMPerm2 = objGPM.CreatePermission(strGroupRemove, _
                         objGPMConstants.PermGPOApply, False)

' Get the existing set of permissions on the GPO
set objSecurityInfo = objGPOList.Item(1).GetSecurityInfo( )

' Add the new permission
objSecurityInfo.Add objGPMPerm1
' Remove Authenticate users
objSecurityInfo.Remove objGPMPerm2

on error resume next

' Apply the permission to the GPO
objGPOList.Item(1).SetSecurityInfo objSecurityInfo
if Err.Number <> 0 then
   WScript.Echo "There was an error setting the security filter."
   WScript.Echo "Error: " & Err.Description
   WScript.Echo "Added Apply permission for group " & strGroupAdd
   WScript.Echo "Removed Apply permission for group " & strGroupRemove
end if

9.14.3 Discussion

Creating a security filter for a GPO consists of granting a specific group the Apply Group Policy permission on the ACL of the GPO. By default, Authenticated Users are granted the Apply Group Policy right on all new GPOs, so you will also need to remove this right if you want to restrict the GPO to only be applied to members of another group.

Avoid using "Deny" as part of the security filter because it can lead to confusion with accounts that have membership of groups with conflicting filter settings. For example, if a user is a member of a group that has "Deny" set in the filter and is also a member of a group that is allowed to apply the policy, the Deny setting will always win. This can be difficult to troubleshoot.

Be very careful when changing permissions on GPOs. If you create a very restricted GPO and apply a security filter to it, put tight controls on who can modify the GPO and how. If for some reason that security filter was removed (resulting in no security filters), the restrictive GPO could be applied to every user or computer in the domain. Using VBScript

First, I have to find the target GPO. I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section. I use an if elseif else conditional statement to ensure that only one GPO is returned. If none or more than one were returned, I abort the script. If only one GPO is returned, I create two GPM.CreatePermission objects for the group I want to add as a security filter and for the Authenticated Users group. Next, I use the GPMGPO.GetSecurityInfo to retrieve the current ACL on the GPO. Finally, I add the permission to the ACL for group I want as the new security filter, and I remove the permission for Authenticated Users.

9.14.4 See Also

MSDN: GPM.CreatePermission and MSDN: GPMGPO.GetSecurityInfo

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List