none
Using security filtering to apply a GPO to a security groupe

    Question

  • Hello,

    I need to apply a GPO into a specific security group, whose group is inside a OU.

    I've created a GPO inside this OU, but it seems that I cannot appy directly to a group. For that I should use securiy filtering.

    I found an article explaining how to do it but i can't apply my GPO.


    In this article (please follow link), they say this:

    "Granting Read and AGP is not sufficient to ensure that the GPO is processed for a user or computer. The GPO also has to be linked to a site, domain or organizational unit containing the user or computer, directly or through inheritance. "

    By inheritance, I understad that my "users" are inside a security group, which receives the GPO parameters by inheritance from my OU container, is that correct?

    In my first image (Active Directory), you can see my group "users_with_GPO_screensaver", that contains the users I want to apply the GPO. This group, has you can see is in the OU called "xxx_groupes"

    In the other image "GPMC", I've linked the GPO "users_with_GPO_screensaver" into the OU "xxx_groupes".

    Can anyone help out to understand why it won't work my GPO?

    I really thank you in advance!! 

    best regards,


    https://technet.microsoft.com/en-us/library/cc781988%28v=WS.10%29.aspx?f=255&MSPPError=-2147217396

    Friday, October 9, 2015 9:52 AM

Answers

  • Did you add the AD group into security filtering? When you link GPO to OU, by default, "authenticated users" will be added into security filtering. If you want to apply GPO to specific AD group, you must add your AD group into security filtering. However, if you retain "authenticated users" group, this will apply to all users and computers that are in particular OU and no need to add your AD group.

    Beside, if you had already added your AD group, please run "gpresult /h c:\gpresult.html" on your client machine and see if policy is not applied or denied. Also, please check error event log in client machine for more info.

    -Umesh.S.K

    Friday, October 9, 2015 10:17 AM
  • > I've created a GPO inside this OU, but it seems that I cannot appy
    > directly to a group. For that I should use securiy filtering.
     
    GPOs do not apply to groups, only to Computers or Users. So the user has
    to be in this OU.
     
    Security filtering only provides an _additional_ layer of targeting GPO
    settings (the OU of the group doesn't matter).
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Friday, October 9, 2015 6:18 PM
  • In the other image "GPMC", I've linked the GPO "users_with_GPO_screensaver" into the OU "xxx_groupes".

    ...

    Group Policy Management manages these permissions as a single unit, and displays the security filtering for the GPO on the GPO "Scope" tab.
     
    So in GPMC, first go to "Scope" tab of your "Users_GPO_screensaver" GPO, delete "Authenticated Users" group from "Security Filtering" section by clicking "Remove" button. Click "Add" button to add your "users_with_GPO_screensaver" group into the list.

     

    Then link the "Users_GPO_screensaver" at domain level or any other OU that contains your target users, the settings in it should only apply to the users in your "users_with_GPO_screensaver" group now.
     
    Hope this helps. And please feel free to post back if you need further assistance on this.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, October 14, 2015 7:24 AM
    Moderator

All replies

  • Did you add the AD group into security filtering? When you link GPO to OU, by default, "authenticated users" will be added into security filtering. If you want to apply GPO to specific AD group, you must add your AD group into security filtering. However, if you retain "authenticated users" group, this will apply to all users and computers that are in particular OU and no need to add your AD group.

    Beside, if you had already added your AD group, please run "gpresult /h c:\gpresult.html" on your client machine and see if policy is not applied or denied. Also, please check error event log in client machine for more info.

    -Umesh.S.K

    Friday, October 9, 2015 10:17 AM
  • > I've created a GPO inside this OU, but it seems that I cannot appy
    > directly to a group. For that I should use securiy filtering.
     
    GPOs do not apply to groups, only to Computers or Users. So the user has
    to be in this OU.
     
    Security filtering only provides an _additional_ layer of targeting GPO
    settings (the OU of the group doesn't matter).
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Friday, October 9, 2015 6:18 PM
  • In the other image "GPMC", I've linked the GPO "users_with_GPO_screensaver" into the OU "xxx_groupes".

    ...

    Group Policy Management manages these permissions as a single unit, and displays the security filtering for the GPO on the GPO "Scope" tab.
     
    So in GPMC, first go to "Scope" tab of your "Users_GPO_screensaver" GPO, delete "Authenticated Users" group from "Security Filtering" section by clicking "Remove" button. Click "Add" button to add your "users_with_GPO_screensaver" group into the list.

     

    Then link the "Users_GPO_screensaver" at domain level or any other OU that contains your target users, the settings in it should only apply to the users in your "users_with_GPO_screensaver" group now.
     
    Hope this helps. And please feel free to post back if you need further assistance on this.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, October 14, 2015 7:24 AM
    Moderator