none
GPO not applying: Access Denied (Security Filtering)

    Question

  • Windows Server 2012 R2 Domain with users logging into a Windows Server 2008 R2 terminal server:

    I've got a simple User GPP which implements a registry edit on the Windows 2008 machine. The registry edit has Item Level Targeting enabled which targets the Windows Server 2008 computer specifically, using its DNS name (computer.domain.com).

    In security filtering it is restricted to only a single user group some.users. I've checked the Delegation tab and some.users has both Read access and Apply Group Policy. I have also added Domain Computer with Read access to the permissions list.

    When I run "gpresult /user:specific.user /h gpresult.html" I am receiving an "Access denied (Security Filtering)" error. Inexplicably, when I also check the applied group membership in gpresult.html, it is showing domain\some.users.

    I'm really stuck here, as gpresult shows specific.user as belonging to some.users group, and some.users has Read and Apply access in Security Filtering, so why is it getting denied?

    I even tried creating a brand new test.user and test.group and changing the Security Filtering to apply ONLY to test.group, and the policy applied successfully when I logged in as test.user! But when I change it back to some.users, it starts getting denied again if I log in as specific.user. :(
    Sunday, September 11, 2016 12:19 AM

Answers

  • Hi Vedette,

    Thanks for your post.

    I'm really stuck here, as gpresult shows specific.user as belonging to some.users group, and some.users has Read and Apply access in Security Filtering, so why is it getting denied?

    >>>I suggest you try to logon with other users, which is member of some.users. And run gpresult to check if the policy could be applied successfully.

    If no, are all the member of the some.users in the OU, which GPO is linking?

    The object of security filtering should be contained in the OU.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, September 11, 2016 12:52 PM
    Moderator

All replies

  • Hi Vedette,

    Thanks for your post.

    I'm really stuck here, as gpresult shows specific.user as belonging to some.users group, and some.users has Read and Apply access in Security Filtering, so why is it getting denied?

    >>>I suggest you try to logon with other users, which is member of some.users. And run gpresult to check if the policy could be applied successfully.

    If no, are all the member of the some.users in the OU, which GPO is linking?

    The object of security filtering should be contained in the OU.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, September 11, 2016 12:52 PM
    Moderator
  • Hi,

    Are there any updates?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 19, 2016 2:43 AM
    Moderator
  • I'm having the same issue on server 2012 R2. I've deployed multiple printers with a set of GPOs and would like to use security groups to filter the GPOs. At first I was receiving the filtering error - group policy filtering not applied (unknown reason). Next I found the following article: https://social.technet.microsoft.com/Forums/office/en-US/6658cc74-593c-432f-b766-e7062830f643/group-policy-problem-not-applied-unknown-reason?forum=winserverGP The suggestion here is to add the Authenticated Users group to the Delegation tab with Read permissions however this only changed the error and did not fix the problem. The output from gpresult /r now states Filtering: denied (securtiy) Any suggestions would be much appreciated!

    Wednesday, November 23, 2016 8:06 PM