none
Unable to apply policy Windows 2008

    Question

  • Hi folks,

    I'll admit up front that this is my first time working with Group Policy and hopefully something simple is missed.

    • Windows 2008 R2
    • I have a universal security group that contains a specific set of laptops
    • I have an OU for a set of computers
    • I have a GPO linked to the OU set to Force a specific visual style and Prevent changing theme (settings are enabled)
    • I have a WMI Filter and have added the Security Group to it with permissions of full control
    • The GPO is set to Enforced

    When I run Group Policy Modeling on the server, I get the following:

    Setting: Security Filtering with the Security Group for the laptops, delegation with Full control (verified read and apply are checked)

    Result: Computer config summary | GPO | Denied gpo | Access Denied (security filtering)

    Result: User config summary | GPO | Denied gpo | Access Denied (security filtering)

    Setting: If I add Authenticated Users and give it read and apply

    Result: Computer config summary | GPO | Denied gpo | Empty

    Result: User config summary | GPO | Applied GPO

    I'm stumped at this point and would appreciate any pointers to what I should look at next.

    Thanks

    Ben

    Monday, March 03, 2014 9:30 PM

Answers

  • Hi If you just want the Gpo to apply to your security group you shouldn't need a WMi filter. You just need to remove authenticated users from the permissions of your Gpo and add the security group to it with read and apply. Also I can't remember now, but is the setting you are applying not a user based setting rather than computer based. If this is the case then you either need to apply the policy to users rather then computers ou and add the users to the group, or you need to enable loop back processing under computer configuration, admin templates, system, group,policy. Set it to merge. You would also need to add your users to the security group,or add domain users group,to it.

    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    Blog: http://www.windows-support.co.uk  Twitter:   LinkedIn:

    Monday, March 03, 2014 10:29 PM

All replies

  • Hi If you just want the Gpo to apply to your security group you shouldn't need a WMi filter. You just need to remove authenticated users from the permissions of your Gpo and add the security group to it with read and apply. Also I can't remember now, but is the setting you are applying not a user based setting rather than computer based. If this is the case then you either need to apply the policy to users rather then computers ou and add the users to the group, or you need to enable loop back processing under computer configuration, admin templates, system, group,policy. Set it to merge. You would also need to add your users to the security group,or add domain users group,to it.

    Regards,

    Denis Cooper

    MCITP EA - MCT

    Help keep the forums tidy, if this has helped please mark it as an answer

    Blog: http://www.windows-support.co.uk  Twitter:   LinkedIn:

    Monday, March 03, 2014 10:29 PM
  • "You just need to remove authenticated users from the permissions of your Gpo and add the security group to it with read and apply."

    I didn't have luck without authenticated users and i think this is because all computers are considered authenticated users.

    "applying not a user based setting rather than computer based. "

    You are correct and i have changed approach to add a registry key which was successfully applied via Group Policy.


    Thanks Ben

    Monday, March 03, 2014 11:43 PM