none
Security Filtering / Authenticated Users change???

    Question

  • For years now I've used security filtering to limit which users get network drives mapped (in addition to restricting via NTFS permissions) using group policy.  Inexplicably this week that stopped working.  GPResult showed the reason for denial as "Inaccessible".  I've always removed the authenticated users group and then added back just the security group that needs access.  As soon as I removed my security group and added back authenticated users the drive would map properly.  What I ended up doing as a workaround is adding my security group and then going into the delegation tab and clicking advanced to limit authenticated users to read access, but not apply.  Therefore the security group only has access, but the drive is successfully mapped.  This reddit helped me https://www.reddit.com/r/sysadmin/comments/1y22nl/trying_to_scope_an_gpo_with_security_filtering/.  I've now seen other websites that also state to not remove authenticated users, but this method has always worked for me.  Weird

    Curious why this would stop working all of a sudden.  Windows update?
    MS use to say this was OK https://technet.microsoft.com/en-us/library/cc728301(v=ws.10).aspx
    Anyway, hope this helps someone else

    Wednesday, June 22, 2016 2:57 PM

Answers

  • Curious why this would stop working all of a sudden.  Windows update?

    You got it, recent windows update change the way the security filtering works. You need to have Authenticated Users with read rights now I believe. It's been covered quite a bit on these forums, a search should bring up more exact details of the change.

    • Edited by MikeeMiracle Wednesday, June 22, 2016 3:27 PM
    • Marked as answer by sallenk Wednesday, June 22, 2016 3:41 PM
    Wednesday, June 22, 2016 3:24 PM