2

Have a quick question. I work in a large company and i've always been told that if a users needs let's say access his emails on the phone he has to be member of a specific group (apart from activating active sync in the exchange console, of course) or if a user needs specific internet browsing permissions has to be member of another group or whatever resource or permission the user needs there is a group for it.

So, I have also been looking at the GPO's but i don't see any relationship between Gpo's and the groups, so how do they actually make the members of a specific group have access to what they want the user to have access to?

Yourdaman
  • 23
  • 3

4 Answers4

0

There isn't really a relationship between groups and group policies. In retrospect, group policies probably was not the best choice of names. Group policies are a mechanism to centrally manage settings and security policies that need to be applied to users and computers. Granting access to a resource is something where it is usually preferred to do so for a group, in case there are other people that may need this they only need to be added to the group, and that activity of requesting membership in a group is much simpler from an auditing and compliance perspective.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
0

GPOs contain settings that apply to users and Computers. You can apply settings that effect things like Internet access etc. Groups can be used to filter the GPOs. In order for a GPO to apply to your user account or computer account the user or computer will need both the Read and Apply GPO permissions. If you deny either of these then the GPO will not apply. If your grant both of these permissions then the GPO will apply as long as it is linked to the OU (or linked to parent OU / Domain).

What we can do is use groups to filter the GPOs, lets say you want to grant a level of internet access to a set of users you can create the GPO, create a group called something like G_InternetAccess then make sure that the group has both read and apply permissions. link the group to the OUs that contain your users and it will work. alternatively if you have a set of people whom you do not what the GPO applied to make sure they don't have the read and apply permission.

Just be aware that the default permissions for any new GPO is AuthenticatedUsers Read and Apply, so by default GPOS apply to all users and computers when they are linked to an OU or Domain.

To edit permissions for the GPO go to its delegation tab, click advanced and you can see all the permission currently listed.

Michael Brown
  • 3,254
  • 2
  • 11
  • 11
-1

Group policies apply to container structures (organizational units). Users and computers that are members of the OU will get that policy applied.

Jim B
  • 24,081
  • 4
  • 36
  • 60
  • if a Group is a member of an OU, and a GPO is linked to that OU members of the Group will not have the GPO Applied. The group might contain users that are in a different OU for example. these users would not have the GPO applied in your example. The GPO will (by default) only apply to the Users and Computers inside the OU not the groups members. – Michael Brown Mar 31 '17 at 09:06
-1

You don't extra memberships or GPOs. Mailbox owners by default can access their mailbox through Active Sync. What you need is a direct connection to a Client Access server via Port 443.

To check if a device has connected type

Get-MobileDevice

in Exchange Management Shell.

Depending on your Exchange configuration you might need to unlock the newly added device from quarantine.

CounterClockWise
  • 21
  • 3