none
How to properly apply my GPO?

    Question

  • Hi,

    I have a GPO that includes a Computer Configuration (that creates scheduled task on domain computers)

    I have a security group with a few members.

    This GPO should only apply to members of this security group.

    I linked the GPO to our Computer OU then applied security filtering for that security group but it doesn't work.

    How to get this policy working?

    Thanks,

    Sam

    Tuesday, August 09, 2016 5:23 AM

Answers

  • > This should work.  Be sure the user is member of the security group you
    > have specify in the GPO Security Filtering.
     
    No, it doesn't.
     
    Computers do not apply user configuration, and users do not apply
    computer configuration.
     
    Computers apply computer configuration if rights are sufficient.
    Users apply user configuration if rights are sufficient.
     
    2 possible solutions - both require moving the configuration items from
    computer to user:
     
    a) Loopback (not recommended unless you know what you are doing...)
    b) GPP with Item Level Targeting
     
    Sample for registry values:
    Works the same way for scheduled tasks.
     
    • Marked as answer by Sk80s Thursday, August 11, 2016 2:03 AM
    Wednesday, August 10, 2016 11:19 AM

All replies

  • When you said you have a security group with few members, those members are computer or user accounts ?

    Keep in mind that if you configure a GPO with computer settings, you must configure security filtering to include your computer accounts.

    hth


    This posting is provided AS IS without warranty of any kind

    Tuesday, August 09, 2016 5:38 AM
  • Hi,

    Thanks for your post.

    This issue may occur if you are using security filtering and are missing Read permissions for the domain computers group.

    To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow the below steps:

    If you are using security filtering, add the Domain Computers group with read permission.

    Please go through the following article to get more information about this scenario:

    Deploying Group Policy Security Update MS16-072 \ KB3163622

    https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 09, 2016 8:02 AM
    Moderator
  • When you said you have a security group with few members, those members are computer or user accounts ?

    Keep in mind that if you configure a GPO with computer settings, you must configure security filtering to include your computer accounts.

    hth


    This posting is provided AS IS without warranty of any kind

    Hi,

    No I haven't added computers into that Security group.

    Tuesday, August 09, 2016 11:52 PM
  • This issue may occur if you are using security filtering and are missing Read permissions for the domain computers group.


    Hi, I've added Read permission to Domain Computers through Delegation tab but GPO still gets denied.

    I think I should link the GPO to top level Domain Controller to include both Security Group and Computer accounts. Is that right?

    Wednesday, August 10, 2016 12:11 AM
  • The computers must be defined under Security Filtering. By default it's Authenticated Users. But you can add a user / computer / group. If you add a group, the computer account must be member of that group.

    The "Delegation" tab is not for that purpose.  This will give access to modify the GPO itself.  You may want to modify Delegation when you want to give access to other IT peoples to manage GPO's

    Be sure to add either the computer account under Security Filtering or a group where the computer account is member of or just let the default settings with Authenticated Users.


    This posting is provided AS IS without warranty of any kind

    Wednesday, August 10, 2016 12:23 AM
  • The computers must be defined under Security Filtering. By default it's Authenticated Users. But you can add a user / computer / group. If you add a group, the computer account must be member of that group.

    The "Delegation" tab is not for that purpose.  This will give access to modify the GPO itself.  You may want to modify Delegation when you want to give access to other IT peoples to manage GPO's

    Be sure to add either the computer account under Security Filtering or a group where the computer account is member of or just let the default settings with Authenticated Users.


    Thanks for the info.

    The only issue I have is that, this policy needs to be applied only to the users that are member of Security Group.

    How do I go about that?

    Wednesday, August 10, 2016 5:40 AM
  • Ok, in that case, just put the group where the user is member of in the security filtering.  The GPO could be linked at the Root of the Domain if you want (or on the OU where the user is in AD), but be sure to put only the security group in Security filtering that you want to apply this GPO, otherwise the application will be assigned to all user domain.

    This should work.  Be sure the user is member of the security group you have specify in the GPO Security Filtering.


    This posting is provided AS IS without warranty of any kind

    Wednesday, August 10, 2016 6:21 AM
  • > This should work.  Be sure the user is member of the security group you
    > have specify in the GPO Security Filtering.
     
    No, it doesn't.
     
    Computers do not apply user configuration, and users do not apply
    computer configuration.
     
    Computers apply computer configuration if rights are sufficient.
    Users apply user configuration if rights are sufficient.
     
    2 possible solutions - both require moving the configuration items from
    computer to user:
     
    a) Loopback (not recommended unless you know what you are doing...)
    b) GPP with Item Level Targeting
     
    Sample for registry values:
    Works the same way for scheduled tasks.
     
    • Marked as answer by Sk80s Thursday, August 11, 2016 2:03 AM
    Wednesday, August 10, 2016 11:19 AM
  • Seems a bit complicated to me.

    I created a new security group called "RevitUserComputers" then added some computers to this security group. I applied the GPO to our Workstations OU and used security filtering to apply the GPO to "RevitUserComputers" security Group. The policy is applied but now I get this error from gpresult /h:

    >>Control Panel Settings
    Scheduled Tasks
    Scheduled Task (Windows Vista) (Name: Weekly Revit Library Update 2016)

    The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts. "Weekly Revit Library Update 2016"

    Winning GPO:  RevitLibraryWeeklyUpdateTask 

    Result: Failure (Error Code: 0x80041318)<<

    This task was used to apply to all domain computers and it was working, now it needs to be applied either to specific users or their computers (which I added to security group)

    First I thought the problem is from NT AUTHORITY\Authenticated Users (which was set as default log on user) in task scheduler, I then changed it to NT AUTHORITY\SYSTEM but the same error occurs.

    Here's what this Scheduled Task is doing:

    >>

                                              

    General
    Action Replace 
    Task Name  Weekly Revit Library Update 2016   
     Author  DOMAIN\Admin

     Description     
     Run only when user is logged on  InteractiveToken   
     UserId  NT AUTHORITY\SYSTEM   
     Run with highest privileges  HighestAvailable   
     Hidden  No   
     Configure for  1.3   
     Enabled  Yes   
     Triggers1. Weekly     
     Activate  07-Jun-16 1:00:00 PM Synchronize across time zones  No 
     Enabled  Yes <<  

    Recur every 1 weeks on Wednesday
    Actions1. Start a program     
    Program/script  C:\RevitBatch\RevitBatch.bat
    Arguments  runas /user:administrator -p %1
    Start in  C:\RevitBatch
    Settings Start the task only if the computer is idle for  10 minutes
    Wait for idle for  1 hour
    Stop if the computer ceases to be idle  No   
    Restart if the idle state resumes  No   
    Start the task only if the computer is on AC power  No
    Stop if the computer switches to battery power  No
    Wake the computer to run this task  Yes  
    Start only if the following network connection is available  Yes
    Allow task to be run on demand  Yes
    Run task as soon as possible after a scheduled start is missed  Yes
    If the running task does not end when requested, force it to stop  Yes
    If the task is already running, then the following rule applies  IgnoreNew 

    UPDATE:

    After rebooting the computer, the task showed up.

    • Edited by Sk80s Thursday, August 11, 2016 2:03 AM
    Thursday, August 11, 2016 12:53 AM