Security Filtering on Users or groups are Inaccessible


  • Hi,

    In a first time sorry if my english is not perfec.

    Since the last week we have a strange problem with the some GPO’s, in one time, without modification, they were no longer applicable.

    It's only for some GPO’s with a security filtering on a group or User who has the problem, when we put a Computer or « Authenticated User » there are no problems.
    On the workstation after a GPRESULT my GPO is in « Denied GPO’s » :

    {BB1E4A7B-C46A-4C0D-B86F-3DC386739557}    *****/Structure/07 Démographie/Users    Inaccessible

    The name of the GPO is replaced by the ID.
    The security permissions are correct on the sysvol folder ([DOMAIN]\SYSVOL\Policies\{BB1E4A7B-C46A-4C0D-B86F-3DC386739557})
    In the event viewer, on the DC or on the workstations, we don’t see any errors.
    I’ve activated the debug mode of the Group Policy Service, in the log :

    GPSVC(194.254) 21:03:48:946 EvalList: Object <cn={BB1E4A7B-C46A-4C0D-B86F-3DC386739557},cn=policies,cn=system,DC=****,DC=**> cannot be accessed

    I moved my GPO in the root, just in below of my domain name to see if it’s not an inheritance problem and I obtain the same symptom.

    Tuesday, June 28, 2016 6:11 AM


All replies

  • MS has recently released update MS16-072  which changes security context for retrieving "user" GPOs from user to computer, so you need to grant computer accounts (Domain Computers group) read access to the GPOs. See for more info.


    • Marked as answer by MichaelVDH84 Tuesday, June 28, 2016 9:24 AM
    Tuesday, June 28, 2016 8:39 AM
  • Hi Gleb,

    Thanks, this is our problem, will see with my manager if we uninstall the update or apply the security filters on the workstations


    Tuesday, June 28, 2016 9:29 AM