none
Group Policy problem (Not Applied (Unknown Reason)

    Question

  • Few day ago we had problem with DFSR and errors (5014,4612,5002) due unclean shutdown. This has been solved now, SYSVOL is now synced. But now i have problems with User Preferences which are not applied.

    We have lot of GPOs mostly computer policies and they we working ok. User policies are working also ok but preferences are not:

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)
    
        Shortcutxxx
            Filtering:  Not Applied (Unknown Reason)
    
    The user is a part of the following security groups

    - User preferences are linked to the user OU and contain only User preferences (Shortcuts).

    - Security Filtering is setup by Groups

    After spending two day investigating i have noticed:

    - When Security Filtering is setup by User or Group it does NOT work

    - When Security Filtering is setup by authenticated user (bulid in) it does WORK.

    Something is wrong with sec. filtering. No matter what policy is checked for user or group it DOES not work (Filtering:  Not Applied (Unknown Reason))

    Groups or Users have right to read and apply GPO!

    Please Help.

    This all was working until yesterday, after DFSRs errors we fixed this does not work anymore.And if i set GPI to Group or User, on computer when i do :

    gpupdate /force

    and then

    gupudate /r

    i do not see this (Not Applied (Unknown Reason), i do not filtering at all (for this GPO). I must set Auth. users so policy apply and then set for user or group then i can see this. It is strange.


    In basic, whatever policy if filtered by user or group, is NOT applied. or ((Not Applied (Unknown Reason)

    Edit: To be clear. :

    - create GPO, set sec. filtering to user or group and remove authe. user. Login to computer with that user and use :

    gpresult /r

    No policy.

    - reate GPO, set sec. filtering to authe. user  Login to computer with that user and use same as above, and works. After that on DC change filtering to user or group and remove auth, go to pc and run:

    gpupdate /force 
    gpresult /r

    and got code:

    Group Policy problem (Not Applied (Unknown Reason)

    • Edited by Lozinjo Monday, June 20, 2016 8:26 AM
    Monday, June 20, 2016 6:19 AM

Answers

  • SOLVED!


    Since Microsoft added MS16-072: Security update for Group Policy: update to Servers :

    "MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer's security context. This issue is applicable for the following KB articles"

    For every GPO with user or group filtering u must add to the "Delegation" tab "Authenticated users" group with permissions "READ". Sec. filtering can stay as it was.

    For Computer filtering u must add to the "Delegation" tab "Domain Computers"group with permissions "READ". Sec. filtering can stay as it was.

    Regards,

    Luka



    • Marked as answer by Lozinjo Monday, June 20, 2016 9:59 AM
    • Edited by Lozinjo Monday, June 20, 2016 10:08 AM add on
    Monday, June 20, 2016 9:58 AM

All replies

  • SOLVED!


    Since Microsoft added MS16-072: Security update for Group Policy: update to Servers :

    "MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer's security context. This issue is applicable for the following KB articles"

    For every GPO with user or group filtering u must add to the "Delegation" tab "Authenticated users" group with permissions "READ". Sec. filtering can stay as it was.

    For Computer filtering u must add to the "Delegation" tab "Domain Computers"group with permissions "READ". Sec. filtering can stay as it was.

    Regards,

    Luka



    • Marked as answer by Lozinjo Monday, June 20, 2016 9:59 AM
    • Edited by Lozinjo Monday, June 20, 2016 10:08 AM add on
    Monday, June 20, 2016 9:58 AM
  • Hi,
    Appreciate your and share in this forum. It will be greatly helpful to others who have this problem.
    Thanks for your effort again.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 22, 2016 1:55 AM
    Moderator
  • I made a new GPO yesterday (that used user security filtering for testing....and i'll use group security filtering once i'm done testing).  i couldn't get it to work and i thought it was because i was tired.  i worked on it for 3 hours and finally decided to move onto something else and i'll come back to it the next day (today).  thank goodness i found your reply here, cause this was exactly the issue.  I RARELY leave replies like this, but you really helped me out and kept me from thinking I was going crazy! Thanks!
    Friday, July 01, 2016 2:55 PM
  • THANK YOU SO MUCH FOR POSTING THIS! You have majorly saved my bacon. This seems like a fairly major change to group policy processing for it to be just snuck in with a security update.
    Tuesday, July 05, 2016 7:20 PM
  • Thank you so much! This saved me too!
    Wednesday, July 13, 2016 11:36 PM
  • Thanks :)

    Couldn't work out why a heap of my GPO's with Security Filtering to an AD group all of a sudden stopped working!

    Friday, July 15, 2016 12:20 AM
  • THANK YOU!!!  This worked beautifully.  
    Thursday, July 28, 2016 9:28 PM
  • This worked for us too!!
    Wednesday, August 31, 2016 5:07 PM
  • I was getting this issue and discovered the GPO was "All settings disabled" on the domain controller, so it's good to check the basics too.
    Thursday, January 12, 2017 1:42 AM
  • You are a life saver!

    Miguel Fra
    Falcon IT Services
    https://www.falconitservices.com

     

    Friday, May 05, 2017 3:27 AM
  • thank you very very very much

    it the best help i could ever get from this site

    Sunday, July 30, 2017 10:33 AM
  • Hi

    We had the similar issue and it worked. The GPO successfully applied to Windows 7 clients however the issue persists for Windows 10 clients. Could you please guide further. Many thanks.

    Monday, January 15, 2018 8:39 AM