none
GPO with security filtering is not applied on one computer

    Question

  • While settings up new computer for a user, running gpupdate /force will apply GPOs applied to Authenticated Users, any other GPO applied to security group won't apply or be even listed among applied or denied when run gpresult command. So limited number of GPOs work on this specific laptop.

    When Authenticated users are added to GPO scope it started to be applied. When login to different computer with the same user's credentials all GPOs work as expected. Looks like it system (specific computer) related.

    User is in OU to which GPO applied and member of security group which is in same OU.

    Wednesday, July 06, 2016 6:43 PM

Answers

  • Hi,

    it's the latest Windows Updates batch and the change in behaviour introduced by that. You have to add Domain Computers to the security filtering in order to get it to work again.


    Evgenij Smirnov

    msg services ag, Berlin -> http://www.msg-services.de
    my personal blog (mostly German) -> http://it-pro-berlin.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com

    In theory, there is no difference between theory and practice. In practice, there is.

    Wednesday, July 06, 2016 9:27 PM
  • Hi,

    This behavior is actually described in https://support.microsoft.com/en-us/kb/3163622. One way to fix this is to add "Authenticated Users" with Read permission into the Delegation tab. Another way is to add "Domain Computers" to Security Filtering list.

    Symptoms
    All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.

    Cause
    This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

    Resolution

    To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

    • Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
    • If you are using security filtering, add the Domain Computers group with read permission.

    Similar thread for your reference:

    Patch Tuesday - KB3159398

    https://social.technet.microsoft.com/Forums/en-US/e2ebead9-b30d-4789-a151-5c7783dbbe34/patch-tuesday-kb3159398?forum=winserverGP

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 07, 2016 2:28 AM
    Moderator

All replies

  • Hi. Rejoin this laptop to domain again.

    -----------------------------------------------------------------

    Sincerely!

    Khalid Garayev

    * Please don't forget to mark as answer or Vote if it helps!

    Wednesday, July 06, 2016 9:21 PM
  • Hi,

    it's the latest Windows Updates batch and the change in behaviour introduced by that. You have to add Domain Computers to the security filtering in order to get it to work again.


    Evgenij Smirnov

    msg services ag, Berlin -> http://www.msg-services.de
    my personal blog (mostly German) -> http://it-pro-berlin.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com

    In theory, there is no difference between theory and practice. In practice, there is.

    Wednesday, July 06, 2016 9:27 PM
  • Hi,

    This behavior is actually described in https://support.microsoft.com/en-us/kb/3163622. One way to fix this is to add "Authenticated Users" with Read permission into the Delegation tab. Another way is to add "Domain Computers" to Security Filtering list.

    Symptoms
    All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.

    Cause
    This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

    Resolution

    To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

    • Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
    • If you are using security filtering, add the Domain Computers group with read permission.

    Similar thread for your reference:

    Patch Tuesday - KB3159398

    https://social.technet.microsoft.com/Forums/en-US/e2ebead9-b30d-4789-a151-5c7783dbbe34/patch-tuesday-kb3159398?forum=winserverGP

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 07, 2016 2:28 AM
    Moderator
  • Tried that one with no success, thank ou
    Thursday, July 07, 2016 2:22 PM
  • Worked as a charm! Thank you Alvin and Evgenij for your help!
    Thursday, July 07, 2016 2:27 PM
  • Hi,

    I am glad to hear that the information is helpful to you. If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, July 08, 2016 1:49 AM
    Moderator