Just amending some GPO's on Server 2008 R2, I am noticing though in the "Security Filtering" box that there is a group appearing called Authenticated Users is this supposed to be in there eon every GPO or just the group I want to assign the GP's too ?
And Also I have an OU Called Admins - with a GPO linked to it and the Admin user group added into the security filter box however the gp's are not applying even after a gpupdate, the OU below it called Users has GPO's linked to it and the Users Group added to the security filter and all those GPO's work fine so I've done the same with the Admins OU but the policies arnt applying, its a GPO which will add shortcuts to the desktops of the Admin users specified in the Admin group but they arn't working.
Any Ideas anyone ?
If your OU's are structured then just leave it at authenticated users. That way, if you assign a GPO to the Staff OU it will just assign to all staff as they are in the OU (and are authenticated). However, if you want to assign the GPO to only some staff in the OU, then remove the authenticated and put in the security group name. That way it will only assign to those in that security group.
As an example to this, we have OU's for each class, and each class has all the student PC's as well as a single teacher PC. We want most software to install to all PC's in this group, but we only want SIMS and SmartBoard software to install to the teaching machine. Rather than create a sub OU to allocated the software, we just:
1) Created a new security group called 'teaching machines'
2) Allocated the GPO to install this software to the top level so any machine can pick it up
3) Removed auth users from the GPO and added teaching machines group
4) Add the machines that need it to the security group
That way ICT1-Teacher gets SIMS, but all the others don't as they don't belong to the group.
You could filter using that, think of it as file permissions basically but authenticated users is a general group which allows everyone to read gpo's if they are applied. If you say put a deny read applied to a group it would prevent the gpo applying.
It looks as if you can deploy SIMS using GPO and .msi. Please can you tell us how you do this?
Supplementary question: are you able to update SIMS and FMS without allowing SIMS users to run with local admin privileges? I'm absolutely sick of dealing with the consequences of this setup.
Many thanks for your input.