none
GPO not applying correctly - I'm ready to tear out what little hair I have left!

    Question

  • I REALLY need advice AND CURRENT reader-friendly documents relating to applying GPO's.  MY scenario is stated briefly below and my questions are listed at the bottom of this post.  I'm sure there are some subtle distinctions that I'm not catching.  This SHOULD NOT be as hard as I am making it out to be.  Thanks in advance for your suggestions and links.

    I took a dysfunctional GPO with USER and COMPUTER settings and separated them in to two different policies, removing the original combined policy.

    Both new policies are linked to a Department OU. I created a sub-OU for testing and blocked GPO inheritance to it and linked the GPO's directly. The Sub-OU contains the computer on which I'm testing.

    I have a Global Group created for Users requiring the User settings (including myself in that group)

    USER GPO:

       Links: Correct OU.

       Scope: Security Filtering contains the Global Group needing access

       Details:  GPO Status: Enabled

       Delegation Added to the defaults: Authenticated Users (R), Domain Computers (R)

    Ran GPRESULT /r from CMD prompt (Run As Administrator) :  "Filtering: Denied (Security)"

    For the USERS policy, if I add "Domain Computers" to Security Filtering" and REMOVE it from Delegation it applies as expected

    COMPUTER GPO:

       Links: Correct OU.

       Scope: Domain Computers, Global Group needing access

       Details:  GPO Status: Enabled

       Delegation Added to the defaults: Authenticated Users (R), Domain Computers (R)

    Ran GPRESULT /r from CMD prompt (Run As Administrator) :  Policy is applied correctly

    Here are my questions / concerns

    I was under the impression from various MS KB articles that Auth Users needed to be delegates to the GPOs since Auth Users also contains computers?

    Is it necessary for Domain Computers (or any department-specific Global Group containing computers) to be on Security Filtering for ANY GPO in order to get it to apply?

    Which security and/or delegation rights are needed for USER settings in a GPO to apply to the logged in user? And, which of those same settings are need for COMPUTER setting in a GPO, to apply to the computer?


    • Edited by D. Ingram Friday, February 24, 2017 5:54 PM
    Friday, February 24, 2017 5:51 PM

All replies

  • Since you are using security filtering, see if this helps related to a security update:

     https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/

    Friday, February 24, 2017 7:23 PM
  • >I was under the impression from various MS KB articles that Auth Users needed to be delegates to the GPOs since Auth Users also contains computers?

    Authenticated Users include Domain Computers, indeed. There is not need to delegate separate permissions for Domain Computers if those are already delegated for Authenticated Users.

    >Is it necessary for Domain Computers (or any department-specific Global Group containing computers) to be on Security Filtering for ANY GPO in order to get it to apply?

    No, add into the Security Filtering section only those principals to which that GPO should apply. Ensure that those security principals reside under the OU to which the GPO is linked. Though, Domain Computers (or Authenticated Users) MUST be delegated "Read" permission for every GPO. Use "Delegation" tab to achieve this.

    >Which security and/or delegation rights are needed for USER settings in a GPO to apply to the logged in user?

    The user must be present (directly or indirectly) at the Security Filtering tab. User's machine must be able to read the content of the GPO.

    >which of those same settings are need for COMPUTER setting in a GPO, to apply to the computer?

    The computer must be present (directly or indirectly) at the Security Filtering tab. Since presence at the Security Filtering tab assumes "Read" permission, there is no need to manually add computer principals to the Delegation tab.


    https://exchange12rocks.org | https://about.me/exchange12rocks

    Saturday, February 25, 2017 2:29 AM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 03, 2017 6:50 AM
    Moderator