none
Security Filtering on Users or groups are Inaccessible

    Question

  • Hi,

    In a first time sorry if my english is not perfec.

    Since the last week we have a strange problem with the some GPO’s, in one time, without modification, they were no longer applicable.

    It's only for some GPO’s with a security filtering on a group or User who has the problem, when we put a Computer or « Authenticated User » there are no problems.
    On the workstation after a GPRESULT my GPO is in « Denied GPO’s » :

    {BB1E4A7B-C46A-4C0D-B86F-3DC386739557}    *****/Structure/07 Démographie/Users    Inaccessible


    The name of the GPO is replaced by the ID.
    The security permissions are correct on the sysvol folder ([DOMAIN]\SYSVOL\Policies\{BB1E4A7B-C46A-4C0D-B86F-3DC386739557})
    In the event viewer, on the DC or on the workstations, we don’t see any errors.
    I’ve activated the debug mode of the Group Policy Service, in the log :

    GPSVC(194.254) 21:03:48:946 EvalList: Object <cn={BB1E4A7B-C46A-4C0D-B86F-3DC386739557},cn=policies,cn=system,DC=****,DC=**> cannot be accessed

    I moved my GPO in the root, just in below of my domain name to see if it’s not an inheritance problem and I obtain the same symptom.


    Tuesday, June 28, 2016 6:11 AM

Answers

All replies

  • MS has recently released update MS16-072  which changes security context for retrieving "user" GPOs from user to computer, so you need to grant computer accounts (Domain Computers group) read access to the GPOs. See https://support.microsoft.com/en-us/kb/3163622 for more info.

    Gleb.

    • Marked as answer by MichaelVDH84 Tuesday, June 28, 2016 9:24 AM
    Tuesday, June 28, 2016 8:39 AM
  • Hi Gleb,

    Thanks, this is our problem, will see with my manager if we uninstall the update or apply the security filters on the workstations

    Michael.

    Tuesday, June 28, 2016 9:29 AM