none
GPO will not apply to individual users or security groups.

    Question

  • I'm having a strange issue with Group Policy. I have several GPO's that will not apply to specific users or security groups if I set the Security Filtering to only apply to them.  For example, if I set a GPO's security filtering to only include a security group called "print users" it will not apply to them.

    The only way I can get the GPO's to apply is if I specify "Authenticated Users" under the security filtering section for the GPO.  This was not an issue last week, it just started today.  Any thoughts?


    Nate

    Monday, June 20, 2016 4:57 PM

Answers

All replies

  • Hi Nate,
    What GPO is configured to apply to "print users" group? If the group policy is set up on computer configuration, you may need to add the group of computer accounts under the security filtering section for the GPO, not the user group.
    Authenticated Users includes all domain user accounts and computer accounts that have been authenticated by a domain controller on the network. So what this means is that by default the settings in a GPO apply to all user and computer accounts residing in the container linked to the GPO.
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by cguan Tuesday, June 21, 2016 6:49 AM
    Tuesday, June 21, 2016 3:17 AM
    Moderator
  • Hi
     
    Am 20.06.2016 um 18:57 schrieb TacticalN8:
    > I'm having a strange issue with Group Policy. I have several GPO's that
    > will not apply to specific users or security groups if I set the
    > Security Filtering to only apply to them.
     
    Patchday 14.06.2016. Microsoft changed the way of how a GPobject is
    read. Now: The COMPUTER! needs read permissions.
     
    Run this oneliner to add permissions on all GPOs:
    Set-GPPermissions -All -PermissionLevel GpoRead -TargetName (Get-ADGroup
    "$((Get-ADDomain).DomainSID)-515").Name -TargetType Group -ErrorAction
    Continue
     
    See :
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    • Marked as answer by TacticalN8 Wednesday, June 22, 2016 5:53 PM
    Tuesday, June 21, 2016 6:14 AM
  • If GPO needs to be applied to computer or devices capable of processing GP, then use "Computer Configuration".

    If GPO needs to be applied to users then configure "User Configuration", then apply to users object such as "Security Groups" with user accounts of course, or "Authenticated Users"


    Every second counts..make use of it. Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.


    • Edited by cguan Tuesday, June 21, 2016 7:53 AM edit
    Tuesday, June 21, 2016 6:52 AM
  • See :
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     

    The above link describes the culprit.  Thanks Mark!

     


    Nate

    Wednesday, June 22, 2016 5:53 PM