GPO Help


  • Hello,

    I need some help understanding something.  I created a GPO to create an icon on a users desktop.  I configured the USER settings of the GPO for this.  I only want this GPO to be applied to a certain user and/or security group.  I created a test user and changed the security filtering on the GPO to only be applied to this test user.  I placed the GPO in the same OU as the test user.

    I did a force update on the client workstation and the GPO was not being applied.  I then added the workstation that I was using to test into the security filter of the GPO.  My GPO now works.

    My question:  I don't want to have to add all the machine names to the security filter (these are floating users and they use different PC's from time to time and they will change).  Shouldn't just adding the users and/or security group from AD to the security filter in the GPO accomplish this?  How can avoid having to add all the machine names into the security filter and accomplish the same goal?  Any help would be greatly appreciated.


    Wednesday, January 4, 2017 3:46 PM

All replies

  • The computer only needs the read GPO permission. under delegation - advanced, add domain computers and check the apply read GPO box.

    If my answer helped you, check out my blog: Deploy Happiness

    Wednesday, January 4, 2017 3:49 PM
  • Will that then create a desktop icon on all computers in our domain then?  Or does that just allow computers to read the GPO so that security filtering can then take place?
    Wednesday, January 4, 2017 3:53 PM
  • Hi,

    I assume you are using GPO Preferences to add the Desktop Icon? As an alternative to the GPO security filtering you could use Item-Level Targeting (example: Only users which are part of the MGMT Security group AND are using Notebook PCs would receive the Preference - Security filtering for the GPO would be set to the Authenticated Users). 



    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, January 4, 2017 7:37 PM
  • Hi,
    Alternatively, you could check if MS16-072 is installed on clients and domain controllers which might cause user group policy not working, if that is the case, please use the Group Policy Management Console (GPMC.MSC) and add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO). If you are using security filtering, add the Domain Computers group with read permission. Please see:
    Best regards,

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Thursday, January 5, 2017 8:02 AM