[Solved] Authenticated users permission on auto created OUs
Hi there
We have only used Cloudpanel and our hosted system for email before. We are now looking into using it to host users on XenApp. I set up some GPOs with?user settings and applied them to the OU containing the XenApp 7 servers, I also set up a loopback policy.?
When I logged on with some test users I noticed that the GPOs weren’t applying. I looked in the event logs and found:
?
The processing of Group Policy failed. ?Windows could not locate the directory object “NAME OF THE OU CONTAINING THE TEST USER”
?
The OU was one that CloudPanel created based on the companyID. I did some digging and found that it was because Authenticated Users didn’t have read access on that OU. I ticked it on and now the GPOs work fine.
My questions are, will allowing Authenticated users Read access to the OU cause any problem or expose data that shouldn’t be exposed? I couldn’t think of a reason why it would but not 100%. Also, related question – is there a reason?CloudPanel creates the OUs with those permissions on them? It looks like all of the OUs that CP has created are missing that permission, Authenticated Users is in the list of permissions entries but doesn’t actually have any permissions at all if you check them (special permissions is ticked but nothing is ticked when you drill down further).
?
Many thanks in advance
?
Ollie
Allowed Authenticated Users can expose data (read only) which is why we remove it and add the AllUsers@ group to the organization unit.
My guess is you are moving the computer object for those tenants to their own OU and this is when it occurs. GPO needs to be able to ready from the location of the object and down the hierarchy.?
To resolve this issue simply add the computer object to the AllUsers@ security group for that company and you should be good to go (or you can manually add the computer object to the company organizational unit security permissions to have READ access.
- 5 Forums
- 714 Topics
- 3,630 Posts
- 0 Online
- 254 Members