-1

(In exploratory mode: not sure what is the right question to ask, and how to ask it. Also, new to AD GPOs: please forgive lack of clarity in the question.)

Question: how do I assign an Active Directory GPO to a specific computer, or a set of computers, through which mechanism?

(Easy to follow concrete steps or examples, please? Do not answer with "use ABC mechanism" one-liners, please.)

Goal(s):

  • set up a GPO that disables Windows Defender on target computers
    • why: there's another antimalware agent running and there seems to be a severe resource contention between Windows Defender and that agent, and that other vendor recommends disabling Defender (but doesn't say how, exactly). Also, apparently Windows Server (unlike Windows 10 or 11) doesn't allow to manage multiple security providers through Windows Security app, does not disable Windows Defender when another security provider is installed, and does not allow that other provider to disable Defender
  • assign that GPO to maybe one AD computer to start with, confirm the policy is working as expected, then roll it out to more computers

Note(s):

  • the computer(s) in question are all Windows Server editions
  • ... and are domain-joined (AD)

What I tried:

  • Created security group "Defender Disabled" in AD, and added a target computer to it as a member enter image description here
  • in Group Policy Management on a DC:

This is where I got stuck:

  • What is the best practice in assigning a GPO to a set of computers?
  • How can I confirm a given GPO was indeed applied to those computers? (E.g. in case of Windows Defender and disabling it through a GPO, what are the symptoms of the desired configuration change taking effect on the target computer?)

P.S. I am about 6-8 hours into this, and have 30+ tabs open after doing 10+ relevant searches and reading through a bunch of articles including "Why can't we link GPO to an AD container?", "Use Group Policy settings to configure and manage Microsoft Defender Antivirus", and more. It's probably on me that it's this challenging - yet I am hoping I am not the only one in this boat.

Thank you!

kindzmarauli
  • 303
  • 3
  • 11

1 Answers1

1

You're on the right track using security group filtering to apply a GPO to specific computers. This is the most effective way.

I noticed in your process you left out the step of linking your new GPO to an OU that contains your target computer.

Another thing to note when working with security group filtered policies is they won't apply until the group member has refreshed their Kerberos token, which normally requires a reboot for computers and logging off/on for users.

To properly apply a security group filtered policy you should check the following:

  1. The group contains the correct user/computer principal you are trying to apply the policy to.
  2. The security group has the 'apply policy' permission on the GPO, and 'apply policy' is disabled for 'Authenticated Users'.
  3. The GPO is linked to an OU the user/computer is within (does not need to be the direct OU, just one above them)
  4. GPO inheritance is not being blocked on any OUs between the user and the OU the GPO is linked to.
  5. The GPO user and/or computer setting is enabled, depending on which settings are being applied. Settings from the user policy must be applied to user principals and settings from computer policy to computer principals.
  6. The GPO setting is not in conflict with the same setting configured in another GPO which has a higher precedence.

Once you have confirmed all of those steps, you can use rsop.msc on the target computer to confirm the applied setting. Right click on Computer or User configuration and select properties to see a full list of policies and their application status. You should see your new policy in there once it is linked to the OU.

twconnell
  • 902
  • 5
  • 13