1

Here's the scenario: A GPO is linked to an OU to enable, for example, UAC setting. However, since there are certain systems that require UAC to be disabled, there is a GPO that disables these settings. This GPO is linked to a security group. Those systems are member of the specific security group and will still be placed in the OU with the "enabled" settings GPO for UAC.

So which GPO is the winner?

According to my tests, the linked GPO to the OU before the security group always wins. Is there any solution for this problem?

Tom
  • 11
  • 3
  • That's what precedence is for.It also depends if the GPO is marked as enforced if it's linked at a higher level. – Greg Askew Jul 01 '21 at 10:06

2 Answers2

2

As long as your GPO is not linked to any OU it will not have any effect.

In your case you could do the following:

Link both, Disabling-GPO and Enabling-GPO, to the same OU. In Delegation of Enabling-GPO Allow rad/apply to for example, Authenticated users. In Delegation of Disbaling-GPO Allow read/apply only to your Security Group. Watch for Link Order as Disabling-GPO needs to have the lower number (Prescendence).

What happens with this for Member of the Security Group: Enabling-GPO will be applied first and afterwards Disabling-GPO, leaving the Setting disabled.

If your Setting is for example a registry key in Preferences you could also use a Item-Level trageting by Security Group

Manu
  • 789
  • 4
  • 19
0

The solution is to enforce the linked GPO. It will only applied to the objects in the specific security group via security group filtering at the GPO.

Tom
  • 11
  • 3