Thanks, I now have a full understanding of what's going on. Looks like I will have to dig elsewhere to find the cause of the massive logon hangs.
Cheers, JR On 14 November 2012 13:46, Christopher Bodnar <[email protected]>wrote: > No, Authenticated Users will not be running the GPO. You have to have the > Apply Group Policy right in order for it to apply. Either by adding it > manually through the Advanced button on the Delegation tab, or by using the > security filtering tab, which does it for you, Having only read does not > give you the ability to apply the GPO. > > HTH > *Christopher Bodnar* > Enterprise Architect I, Corporate Office of Technology:Enterprise > Architecture and Engineering Services Tel 610-807-6459 > 3900 Burgess Place, Bethlehem, PA 18017 > [email protected] > > > * > The Guardian Life Insurance Company of America* > * > **www.guardianlife.com* <http://www.guardianlife.com/> > > > > > > > From: James Rankin <[email protected]> > To: "NT System Admin Issues" <[email protected] > > > Date: 11/14/2012 08:39 AM > Subject: Re: GPO issue > ------------------------------ > > > > It definitely wasn't inherited. One thing I have noticed though if you add > the Authenticated Users group through the Security Filtering function you > get *Read* *and* *Apply GPO* permissions. If you add it through the > Delegation tab you can only apply Read permissions unless you go through > the Advanced tab. > > If you've explicitly removed Authenticated Users from the Security Filter > tab and add only GroupA and GroupB so that they are the groups receiving > the GPO, if someone adds the Authenticated Users back via Delegation and > gives them Read permissions, does that then apply the GPO to the > Authenticated Users group even though you've removed them from the Security > Filter? That's what I was trying to ask, but I think the fact I noticed > above about the Apply GPO permission may have answered that question for me > :-) > > On 14 November 2012 13:20, Christopher Bodnar <* > [email protected]* <[email protected]>> wrote: > You are correct, somehow the Authenticated Users was added to the > Delegation tab, unless it was inherited, but I doubt that. Does it say No > under the inherited column? > > Not sure what you mean by this: > * > "And does this mean that the groups defined in the Security Filtering > section will effectively be overridden? "* > > *Christopher Bodnar* > Enterprise Architect I, Corporate Office of Technology:Enterprise > Architecture and Engineering Services Tel *610-807-6459* <610-807-6459> > 3900 Burgess Place, Bethlehem, PA 18017 > [email protected] > * > > The Guardian Life Insurance Company of America** > ** > **www.guardianlife.com* <http://www.guardianlife.com/> > > > > > > From: James Rankin <*[email protected]* <[email protected]> > > > To: "NT System Admin Issues" <* > [email protected]*<[email protected]> > > > Date: 11/14/2012 07:11 AM > Subject: GPO issue > ------------------------------ > > > > > I have noticed that some GPOs in use here are Security Filtered to certain > AD groups, and Authenticated Users has been removed from the default > Security Filter. This is all very normal and good. > > However, switching to the Delegation tab of the GPO, I see Authenticated > Users listed with Read permission - but not with the "(from Security > Filtering)" suffix. This means that someone has specifically added > Authenticated Users to the Delegation tab, I think? And does this mean that > the groups defined in the Security Filtering section will effectively be > overridden? I just want to check I am correct before I go complaining :-) I > created a test GPO and it seems to indicate that I am correct, but I like > to double-check first > > Cheers, > > > > > -- * > James Rankin* > Technical Consultant (ACA, CCA, MCTS)* > **http://appsensebigot.blogspot.co.uk*<http://appsensebigot.blogspot.co.uk/> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ > <*http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/*<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>> > ~ > > --- > To manage subscriptions click here: * > http://lyris.sunbelt-software.com/read/my_forums/*<http://lyris.sunbelt-software.com/read/my_forums/> > or send an email to > *[email protected]*<[email protected]> > with the body: unsubscribe ntsysadmin > > ----------------------------------------- This message, and any > attachments to it, may contain information that is privileged, > confidential, and exempt from disclosure under applicable law. If the > reader of this message is not the intended recipient, you are notified that > any use, dissemination, distribution, copying, or communication of this > message is strictly prohibited. If you have received this message in error, > please notify the sender immediately by return e-mail and delete the > message and any attachments. Thank you. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ > <*http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/*<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>> > ~ > > --- > To manage subscriptions click here: * > http://lyris.sunbelt-software.com/read/my_forums/*<http://lyris.sunbelt-software.com/read/my_forums/> > or send an email to > *[email protected]*<[email protected]> > with the body: unsubscribe ntsysadmin > > > > > -- * > James Rankin* > Technical Consultant (ACA, CCA, MCTS)* > **http://appsensebigot.blogspot.co.uk*<http://appsensebigot.blogspot.co.uk/> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ > <*http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/*<http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>> > ~ > > --- > To manage subscriptions click here: * > http://lyris.sunbelt-software.com/read/my_forums/*<http://lyris.sunbelt-software.com/read/my_forums/> > or send an email to > *[email protected]*<[email protected]> > with the body: unsubscribe ntsysadmin > > ----------------------------------------- This message, and any > attachments to it, may contain information that is privileged, > confidential, and exempt from disclosure under applicable law. If the > reader of this message is not the intended recipient, you are notified that > any use, dissemination, distribution, copying, or communication of this > message is strictly prohibited. If you have received this message in error, > please notify the sender immediately by return e-mail and delete the > message and any attachments. Thank you. > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > -- *James Rankin* Technical Consultant (ACA, CCA, MCTS) http://appsensebigot.blogspot.co.uk ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image/jpeg>>
<<image/jpeg>>
