none
Group policy applies even if I block it from Delegation tab

    Question

  • Hi.

    I block "WPAD proxy" policy from delegation tab. Just put permission to group email_allow ->  read:no.

    Everything worked pretty well. But one day this policy started to apply to some clients.

    GPresult from clients, and Group Policy Results Wizard do show the same result.

    RSOP data for DOMAIN\UserName on ComputerName : Logging Mode ---------------------------------------------------------------- OS Configuration: Member Workstation OS Version: 6.1.7601 Site Name: N/A Roaming Profile: N/A Local Profile: C:\Users\UserName Connected over a slow link?: No USER SETTINGS --------------     CN=UserName,OU=SubOU1,OU=OU1,DC=loc,DC=domain,DC=com     Last time Group Policy was applied: 6/20/2016 at 8:39:52 AM     Group Policy was applied from: DC1.loc.domain.com     Group Policy slow link threshold: 500 kbps     Domain Name: DOMAIN     Domain Type: Windows 2000     Applied Group Policy Objects     -----------------------------         usertile         BGInfo         Default Domain Policy         user_comp_assign         flashplayer         admin_shares         allow remote assitance         firefox         firewall         install_certificates         java32         localadmin         netsupport         reader         klmover         WPAD proxy

    The user is a part of the following security groups
        ---------------------------------------------------
            Domain Users
            Everyone
            BUILTIN\Users
            NT AUTHORITY\INTERACTIVE
            CONSOLE LOGON
            NT AUTHORITY\Authenticated Users
            This Organization
            LOCAL
            email_allow
            Medium Mandatory Level

    The weird thing here is that Computer Policies are displayed here in User Settings. Flashplayer, admin_shares GPOs are only Computer settings policies. They should not be here. Actually, it should look like that (took it from working computer):

    USER SETTINGS -------------- CN=username,OU=SubOU1,OU=MyOU1,DC=loc,DC=domain,DC=com Last time Group Policy was applied: 6/17/2016 at 2:35:15 PM Group Policy was applied from: DC1.loc.domain.com Group Policy slow link threshold: 500 kbps Domain Name: DOMAIN Domain Type: Windows 2008 or later Applied Group Policy Objects ----------------------------- usertile BGInfo user_comp_assign netsupport No_proxy

    However, I figured out that security settings of GPO is applied successfully (denies access to GPO). From client computer I am trying to access this policy by \\loc.domain.com\SYSVOL\loc.domain.com\Policies\{0A7A5390-EAD6-4DEB-BA95-2F3EA4DD2861} and it say that I don't have permission. So, physically clients can't access to this policy. Even though it is applied.

    DCDiag - no errors on every DC.



    • Edited by aldarik Monday, June 20, 2016 4:00 AM
    Monday, June 20, 2016 3:21 AM

Answers

  • Finally, I found solution.

    There is an update MS16-072 \ KB3163622. It fixes a man-in-the-middle theoretical attack flaw in Windows. And also it changes the "security context with which user group policies are retrieved" for organizations using Group Policy.

    To fix GPO security issue we need to add the “Authenticated Users” group with the “Read” permissions on affected Group Policy Objects (GPOs).

    For further information read following article: https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/

    In my case, GPO's are applied even if I block them from security tab.

    To fix it we need to add the Security group "read" permission and deny "Apply Group Policy" permission on GPOs.

    That's how we block GPOs from applying to certain groups.

    • Edited by aldarik Thursday, August 4, 2016 10:25 AM
    • Marked as answer by aldarik Thursday, August 4, 2016 10:25 AM
    Thursday, August 4, 2016 10:03 AM

All replies

  • Hi,

    Thanks for your post.

    Generally, computer policies are only applied to computer objects while user policies are only applied to user objects. About your situation, the exception is loopback processing which allows computer policy applied to users based on the location in AD of the computer instead. See: http://support.microsoft.com/kb/231287.

    Besides, if you deny permission to the computer only computer policy will not apply, but when the user logs on to the computer by default user policy is getting applied.

    Check the similar thread:

    https://social.technet.microsoft.com/Forums/windows/en-US/82257eee-d4c9-4ae9-9127-da67ef01a8d8/can-i-block-group-policy-for-some-computers?forum=winserverGP

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 20, 2016 8:18 AM
    Moderator
  • Hi Alvwan, thanks for reply.

    Unfortunately, you mixed up with loopback. Computer policies never apply to user objects. There is no condition to do that, unless something went very wrong like in my case. Loopback processing is used to apply user settings to computer objects. They apply to computer before user logs on. It is useful when you want to process common user GPOs faster.

    I denied permissions to user groups. And it denies physical access (by accessing \\domain.com\sysvol\...) to these users. However, policy still applies.

    Tuesday, June 21, 2016 12:27 AM
  • > very wrong like in my case. Loopback processing is used to apply user
    > settings to computer objects.
     
    No.
     
    > They apply to computer before user logs
    > on. It is useful when you want to process common user GPOs faster.
     
    No.
     
     
     
    Tuesday, June 21, 2016 10:10 AM
  • Thanks for correcting me.

    However, it still doesn't solve the problem. I don't use loopback processing at all.

    Thursday, June 23, 2016 11:36 PM
  • Now I got the picture :)
     > The weird thing here is that Computer Policies are displayed here in
    > User Settings. Flashplayer, admin_shares GPOs are only Computer settings
    > policies. They should not be here.
     
    Then double check these "erroneous" GPOs:
    Where are they linked to?
    Is the user part enabled or disabled?
    Do they contain settings in the user part?
    What exactly is in the security filter for these GPOs?
     
    Friday, June 24, 2016 10:08 AM
  • Have you set 'Apply group policy' to deny in the Delegation tab?
    Friday, June 24, 2016 8:46 PM
  •  > The weird thing here is that Computer Policies are displayed here in

    That's not the main problem. That's just one of the symptoms. The main problem is that blocked policy does till apply.

    > Where are they linked to?

    User policies are linked to:

    1. OU which contains all users. 
    2. sub-OUs main user OU.
    3. are at the top of the domain, close to Default Domain Policy.

    Computer Policies are linked to:

    1. OU which contains only computers.
    2. sub-OUs of this main computer OU.
    3. are at the top of the domain, close to Default Domain Policy.

    There is no computers in users' OU. There is no users in computers' OU.

    > Is the user part enabled or disabled?

    the user part of each policy is enabled. Even if it's empty.

    > Do they contain settings in the user part?

    I don't have any policy that contains both user settings and computer settings. I am using these settings separately.

    > What exactly is in the security filter for these GPOs?
    > Have you set 'Apply group policy' to deny in the Delegation tab?

    There is policy that still applies even if I block it in security/delegation tab. I changed there from read:allow to read:deny. You may see it in on screenshot in main picture. I don't set 'Apply group policy'. Every setting in security tab is unchecked except of read:deny. There is a security group "email_allow". The users that are in this group should not have this policy applied.

    Monday, June 27, 2016 12:23 AM
  • > read:deny. There is a security group "email_allow". The users that are
    > in this group should not have this policy applied.
     
    Run "gpresult /h report.html" - this will tell you where the applied
    GPOs are linked. If you see strange OUs in your GPO list, check for
    Loopback.
     --
    Greetings/Grüße, Martin -
    Mal ein gutes Buch über GPOs lesen? -
    Good or bad GPOs? My blog - http://evilgpo.blogspot.com
    And if IT bothers me? Coke bottle design refreshment -
     
    Monday, June 27, 2016 10:54 AM
  • In my first post I have results of gpresult. 

    I've already checked Every GPO on loopback processing. There is no loopback at all. 

    Monday, June 27, 2016 11:07 AM
  • > In my first post I have results of gpresult.
     
    Yes, but the text version which does not show where the GPOs are linked.
    The HTML report does show this.
     
    Monday, June 27, 2016 12:01 PM
  • I am sorry for late reply. We had national holidays.

    We have "computers' OU" -> there are only computers
     and "users' OU"              -> there are only users

    Some computer GPO's are in "computers' OU"
    some user GPO's are in "users' OU"
    rest computer and user GPO's are on top of the domain, near with "default group policy".

    So computer GPO's that are on top of domain are displayed in "user applied policies". In gpresult /h "link location" of false applied policies is on the top of domain.

    I moved all the policies that are on top of domain to subOU's. User GPO's to user OU, and computer GPO's to computer OU.

    Now applied policies are displayed correctly according to their accessory. However, problem still exists. -> blocked policies still apply.

    Monday, July 18, 2016 12:54 AM
  • Hi,

    I am sorry that this issue still hasn't been resolved.

    If there is no progress, I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:

    http://support.microsoft.com/contactus/?ln=en-au

    Have a nice day!

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 29, 2016 9:22 AM
    Moderator
  • Finally, I found solution.

    There is an update MS16-072 \ KB3163622. It fixes a man-in-the-middle theoretical attack flaw in Windows. And also it changes the "security context with which user group policies are retrieved" for organizations using Group Policy.

    To fix GPO security issue we need to add the “Authenticated Users” group with the “Read” permissions on affected Group Policy Objects (GPOs).

    For further information read following article: https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/

    In my case, GPO's are applied even if I block them from security tab.

    To fix it we need to add the Security group "read" permission and deny "Apply Group Policy" permission on GPOs.

    That's how we block GPOs from applying to certain groups.

    • Edited by aldarik Thursday, August 4, 2016 10:25 AM
    • Marked as answer by aldarik Thursday, August 4, 2016 10:25 AM
    Thursday, August 4, 2016 10:03 AM