none
Security Filtering causes the policy not to apply

    Question

  • Hi,

    Server: Windows Server 2012 R2 Standard Client Machines: Windows 7 (32-bit) & (64-bit)

    The issue I am having is as follows:

    Group Policy works if the security filtering has "Authenticated Users" in it, as soon as I remove authenticated users and put a user name in it, the policy doesn't get applied. The only way to get it to work is by renaming the registry.pol file to registry.bak and then running a gpupdate /force.

    Any help on this matter would be greatly appreciated

    Thank you




    • Edited by SaudMa Friday, August 26, 2016 6:08 PM
    Friday, August 26, 2016 6:00 PM

Answers

  • Running into this Hotfix issue maybe where you need to add Domain Computers if Authenticated users is removed.

    https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/

    Computer Policies or User Policies or Both?

    Friday, August 26, 2016 6:16 PM

All replies

  • Running into this Hotfix issue maybe where you need to add Domain Computers if Authenticated users is removed.

    https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/

    Computer Policies or User Policies or Both?

    Friday, August 26, 2016 6:16 PM
  • It is a user policy. I will check the hotfix and let you know. 
    Friday, August 26, 2016 6:22 PM
  • Hi,
    I am checking how the issue going, if you still have any questions, please feel free to contact us.
    Appreciate for your feedback.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, August 29, 2016 6:16 AM
    Moderator
  • Is there no actual fix for this? Do I have to add authenticated users and domain computers for every policy that I am using security filtering on?
    Wednesday, August 31, 2016 2:38 PM
  • No, adding Authenticated Users will apply the GPO to all users and computers which defeats the purpose of security filtering.

    You need to grant Domain Computers read access ONLY IF you remove Authenticated Users.

    I have not seen an 'actual fix' as of yet.

    Wednesday, August 31, 2016 2:59 PM
  • Yes, my mistake, didn't mean to say authenticated users, just domain computers. 

    Thank you for you help on this.

    Wednesday, August 31, 2016 3:05 PM