添加一个组策略在AD的域上面,结果居然怎么也不生效,但如果安全过滤里用内置的Authenticated Users组就能生效。
可是需求是并不需要对所有用户生效,而是只需要对一个特定安全组里的用户生效,于是开始了GOOGLE大法,最终找到原因及解决方案如下:
"MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer's security context. This issue is applicable for the following KB articles"
现象是这样的:
建了个名叫Desktop & My Documents Restriction的GPO如下图,设置只应用到红色箭头指向的用户安全组里的人员。
用命令更新组策略
gpupdate
更新成功后用命令查看结果:
gpresult /r
哦哦,显示
<Group Policy Name>
Filtering: Not Applied (Unknown Reason)
不明原因,未应用!
解决方案也简单:
对于针对用户和用户组进行的过滤,只需要在该GPO的授权策略选项卡,点添加,然后添加组Authenticated Users,权限设为Read(读取)即可。
对于针对计算机的过滤,同样的方法,添加Domain Computers(域计算机)组,设权限为Read(读取)即可。
达叔傻乐(darwin.zuo@163.com)
网友评论