none
The following GPOs were not applied because they were filtered out - Filtering: Denied (Security)

    Question

  • Hi Folks,

    I'm getting this error when I run gpresult /r.

    History of the policy:

    I've created a group policy (under Computer Configuration) to create schedule tasks on our domain computers.

    The policy is applied to workstation OU (where there are about 150 computers) but this policy needs to be applied ONLY to the computers that specific member of Global Security Group is logged into it.

    I applied the Security Filtering by adding that Security Group and removing the Authenticated Users, then from Delegation tab, added Authenticated users to Read the policy.

    How do I go about applying this policy correctly?

    Thank you.

    Sam.

    Wednesday, August 03, 2016 4:58 AM

Answers

All replies

  • Hi Sam,
    Please check if MS16-072 was installed recently on DC or clients. If that is the case, to resolve this issue, you could use the GPMC to add the Authenticated Users group with Read Permissions on GPO. If you are using security filtering, please add the Domain Computers group with read permission.
    You could see more details from:
    Deploying Group Policy Security Update MS16-072 \ KB3163622
    https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/
    MS16-072: Security update for Group Policy: June 14, 2016
    https://support.microsoft.com/en-sg/kb/3163622
    In addition, please make sure that the problematic client are located in the correct group which you have set in security filtering.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 03, 2016 8:31 AM
    Moderator
  • You should go to --> Run-> MMC-> Add- Group policy managment console->

    Also remember to link your policy with that folder or OU you have created.


    Regards, Ravi Kumar

    Wednesday, August 03, 2016 8:35 AM
  • > computers) but this policy needs to be applied ONLY to the computers
    > that specific member of Global Security Group is logged into it.
     
    You cannot filter Computer GPOs based on user group membership...
     
    Computers evaluate their GPOs when there's no user logged on, so this
    cannot work at all. In addition, the computer is not a member of the
    user security group and thus cannot apply the GPO.
     
    Wednesday, August 03, 2016 2:10 PM
  • I know that if I don't apply security filtering (and leave authenticated users as default group) the GPO will apply to all computers but how to properly apply the GPO to security group?

    Friday, August 05, 2016 12:36 AM
  • Please check this if that can help.

    https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/filter.mspx?mfr=true


    Regards, Ravi Kumar


    Friday, August 05, 2016 7:34 AM
  • Please check this if that can help.

    https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/filter.mspx?mfr=true


    Regards, Ravi Kumar


    Thanks Ravi,

    I've looked at that before but it's not the issue in my case.

    Let me elaborate the issue:

    1- I have a Security Group (Group1) with number of users

    2- I have a OU that includes domain computers

    3- I have created a computer-based GPO that should ONLY apply to the users that are member of the Group1

    4- I linked the GPO to the computers OU

    5- Under the GPO scope, I applied the security filtering to Group1

    When Group1 members log into their computers. gpresult /r shows the GPO is denied. Filtering:  Denied (Security)

    Now the question is, how to properly apply the GPO?

    A- Link the GPO to the Security Group OU

    B- Change the GPO from Computer Configuration to User Configuration 

    Remember that Computers are not member of Group1.

    Thanks.

    Monday, August 08, 2016 6:05 AM
  • Hi,
    Please check if Group Policy loopback mode works for you.
    Group Policy loopback is a computer configuration setting that enables different Group Policy user settings to apply based upon the computer from which logon occurs.
    You could see more details from:
    Circle Back to Loopback
    https://blogs.technet.microsoft.com/askds/2013/02/08/circle-back-to-loopback/
    Windows Server: Understand “User Group Policy Loopback Processing Mode”
    https://social.technet.microsoft.com/wiki/contents/articles/2548.windows-server-understand-user-group-policy-loopback-processing-mode.aspx
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 16, 2016 1:42 AM
    Moderator