none
Will security filter work against nested groups?

    Question

  • I have a 2008R2 domain with Win7 clients.

    If I have computer objects that are members of a global security group and that group is nested in another global security group that is targeted for a Group Policy, will the computers get the policy?  My GPO is targeted correctly but does not seem to be working against the nested group, but that usually works for everything else so I thought I would ask.

    Thanks,


    Dave


    Sunday, May 17, 2015 5:08 AM

Answers

  • Hello,

    is that computer in the OU structure where the GPO is applies to?


    Best regards

    Meinolf Weber

    MVP, MCP, MCTS

    Microsoft MVP - Directory Services

    My Blog: http://blogs.msmvps.com/MWeber

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Twitter:  

    • Marked as answer by DaveBryan37 Monday, May 18, 2015 5:49 PM
    Sunday, May 17, 2015 2:47 PM

All replies

  • Hello,

    is that computer in the OU structure where the GPO is applies to?


    Best regards

    Meinolf Weber

    MVP, MCP, MCTS

    Microsoft MVP - Directory Services

    My Blog: http://blogs.msmvps.com/MWeber

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Twitter:  

    • Marked as answer by DaveBryan37 Monday, May 18, 2015 5:49 PM
    Sunday, May 17, 2015 2:47 PM
  • > If I have computer objects that are members of a global security group
    > and that group is nested in another global security group that is
    > targeted for a Group Policy, will the computers get the policy?
     
    As long as the group membership is in the Kerberos TGT PAC structure, I
    would be willing to bet that it will do so, yes :)
     
    Did you reboot after changing group membership?
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, May 18, 2015 10:59 AM
  • Yes - I had everything targeted and ranged correctly. If I removed a computer from the nested group and added to the security group being targeted directly, it installed. I had a very small sample size of 2, and then noticed that the failures might have been a coincidence from something else. It looks like there is another policy, that is and not targeting the clients, that has a WMI filter on it. For whatever reason, even though that policy is not enabled, the 2 clients I was looking at were getting the EventID 1065 - "The processing of Group Policy failed. Windows could not evaluate the WMI filter"  , I am removing the WMI filter on that policy and waiting for client reboots.  I think you guys have answered my question and will start another thread about how can disabled policies be causing Event 1065s on clients that actually do have the WMI service


    Dave


    Monday, May 18, 2015 5:49 PM
  • > "The processing of Group Policy failed. Windows could not evaluate the
    > WMI filter"
     
    What query do you have in that filter?
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Tuesday, May 19, 2015 8:18 AM