none
User targeted GPO settings do not apply on Windows 10 (1607) computers if computer is filtered RRS feed

  • Question

  • Hi

    I just had a bad experience applying GPO settings to Users using Windows 10 (1607) computers.

    The GPO has ONLY settings in the USER Policies section. The Computer section is empty.

    The filtering section contains the 2 USERS to who it should apply.

    The GPO does not apply to those 2 USERS! Typing "GPRESULT -r" does not even list it anywhere.

    - If I add the computer(s) to the filtering section, it applies.

    - It applies also OK if the user uses Windows 7 or Windows Server 2012-R2 computers without the need to add those computers to the filtering section.

    This behaviour is new to me. Any thoughts?

    Thanks.



    Thomas.



    Tuesday, January 31, 2017 1:36 PM

Answers

  • Hi,

    Please check if the below information helps:

    https://support.microsoft.com/en-us/help/3163622/ms16-072-security-update-for-group-policy-june-14,-2016

    Symptoms

    All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.

    Cause

    This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

    Resolution

    To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

    • Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
    • If you are using security filtering, add the Domain Computers group with read permission.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by DonPick Wednesday, February 1, 2017 7:51 AM
    • Marked as answer by Thomas M.T. _ Wednesday, February 1, 2017 7:05 PM
    Wednesday, February 1, 2017 7:44 AM
    Moderator
  • But it is not a bug, it's a security feature which is thoroughly described here and on other blogs.
    Maybe your Windows 7 clients and 2012R2 servers do not have that group policy security patch installed?

    • Marked as answer by Thomas M.T. _ Wednesday, February 1, 2017 7:05 PM
    Wednesday, February 1, 2017 6:21 PM

All replies

  • Hi,

    Please check if the below information helps:

    https://support.microsoft.com/en-us/help/3163622/ms16-072-security-update-for-group-policy-june-14,-2016

    Symptoms

    All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.

    Cause

    This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

    Resolution

    To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

    • Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
    • If you are using security filtering, add the Domain Computers group with read permission.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by DonPick Wednesday, February 1, 2017 7:51 AM
    • Marked as answer by Thomas M.T. _ Wednesday, February 1, 2017 7:05 PM
    Wednesday, February 1, 2017 7:44 AM
    Moderator
  • Hi DonPick,

    Thanks for your post. This is close but I do not think this is the reason because the GPO applies very well to those users if they log in to any Windows 7 or Windows 2012-R2 computer. The issue is only on any Windows 10 (1607) computers.

    I tested this in two different domains in two different forests at two different companies.

    Thanks.


    Thomas.



    Wednesday, February 1, 2017 8:12 AM
  • Hi Muhammad Shaher Yar,

    I'm using the Group Policy Management on a DC.

    Using an MMC with the Group Policy Management snap-in you can create and manage any kind of domain goup policies for users and/or computers and filter them by user/computer/group/WMI...


    Thomas.

    Wednesday, February 1, 2017 2:30 PM
  • Hi Thomas,

    Did you actually follow DonPick his advice and added 'authenticated users' with READ permissions under the Delegation tab of your policy? 

    Wednesday, February 1, 2017 4:13 PM
  • Hi BramVdp,

    As I wrote in the original post, if one ads the W10 computer(s) to the filtering list, it applies. So giving "authenticated users" or "domain computers" read permissions will indeed make the GPO apply.

    But this isn't the question. I know this.

    The question is why suddenly for W10 1607 is this necessary and not for other Windows versions (7, 2012-r2 ...) ?????

    People having legacy GPO's that target USERS only will suddenly not apply anymore if the user sits in front of a W10 PC.

    I clearly point to this a being a bug but have no way to submit it to MS.

    Maybe someone is reading.


    Thomas.


    Wednesday, February 1, 2017 5:01 PM
  • But it is not a bug, it's a security feature which is thoroughly described here and on other blogs.
    Maybe your Windows 7 clients and 2012R2 servers do not have that group policy security patch installed?

    • Marked as answer by Thomas M.T. _ Wednesday, February 1, 2017 7:05 PM
    Wednesday, February 1, 2017 6:21 PM
  • Indeed! I was unaware of this, and several other IT Pros and MCT's I asked about it didn't heard about either...

    All clear now!

    Thank you BramVdp and  DonPick for your help!

    Best regards,


    Thomas.

    Wednesday, February 1, 2017 7:05 PM