Group Policy Objects (GPO) are not just for OUs any more. There are not a ton of GPOs that are better off applying exclusively to Active Directory groups but there are a few. The main use of GPOs filtered to Active Directory security groups is to create exceptions to group policy but there are a few that make sense to apply to security groups. IF you keep your security groups accurate (and by accurate, I mean dynamic).
Filtering a GPO to a security group is not difficult. There are some tricks to doing it correctly such as removing “authorized users” from the GPO, but Windows 2008 has made even this simpler.
Since most GPOs are applied to computer objects rather than user objects, this limits what you can do with self service, so you need to be able to manage group membership of computers. There is a scarcity of attributes in a computer object that you can query against so it limits what GPOs you are going to use if you want this automated. The good news is that there is a location attribute and that you can control a lot with good computer naming conventions.
Once you have the means to dynamically manage AD security groups, you can get to creating these GPOs:
- IE settings by location or department — this is a security group of users based on department or location. Set the proxy server or ability to manage sites for different departments. For example, IE settings are probably more strict for a call center than for marketing.
- Set desktop preference by department — this again is a security group of users based on department. For example, you want a shortcut to a resource or application for specific departments, this is the way to do it.
- Specify which applications are available to users when the log on — this is a security group of users based on department. You can either advertise or install the application in this scenario, but the important part is that, for example, sales needs PowerPoint, accounting needs QuickBooks, and engineering needs VSTS 2010, you can control it.
- Install software for a limited test deployment — this is a security group of computers and is difficult to manage dynamically. When we rolled out a prototype software for internal testing, we did not want it to go out to the entire staff so we created a security group of just the test group of computers and installed it there. This is a good interim step between lab and production.
- Any GPO that applies to telecommuting v. in-office — these are security groups of computers. We use a naming convention where all laptops start with LT- and all desktops start with PC-, allowing us to easily create dynamic security groups. This way we can have different group policy for mobile v immobile computers. You can also create the dynamic security groups based on location (an actual attribute of computer objects!) and apply different GPOs to one-off locations v. office locations.
The key to all of this is that you keep these Active Directory groups accurate. Otherwise, having a user move departments or location will give her the wrong software and wrong preferences. Worse yet, when you have a new user or new computer, unless the security group is dynamically managed, it won’t show up automatically, leading to more work for you!
Use the security group filtering on group policy objects but make sure you automate the security groups dynamically!
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.