none
GPO denied without computer account permissions

    Question

  • Good day,

    I've created test gpo named "testgpo" with users settings only and linked this policy at OU with user accounts. In security filtering I chose my user account.

    gpupdate /force
    gpresult /r

        The following GPOs were not applied because they were filtered out
        -------------------------------------------------------------------
            Testgpo
                Filtering:  Not Applied (Unknown Reason)

    gpresult report shows that this policy was denied, the reason is inaccessible

    After some googling I added read permission for my computer account, policy started to apply
    but I don't understand why it's working like that.
    No loopback policies applying to my computer account. I even placed computer account in a separate OU with blocked inheritance on it.

    What is the reason of such behavior ?

    • Edited by 8eugene Tuesday, August 2, 2016 3:51 AM
    Tuesday, August 2, 2016 3:48 AM

Answers

  • Hi,

    Thanks for your post.

    This behavior is actually described in https://support.microsoft.com/en-us/kb/3163622. One way to fix this is to add "Authenticated Users" with Read permission into the Delegation tab. Another way is to add "Domain Computers" to Security Filtering list.

    Symptoms
    All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.

    Cause
    This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

    Resolution

    To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

    • Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
    • If you are using security filtering, add the Domain Computers group with read permission.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by 8eugene Tuesday, August 2, 2016 9:30 AM
    Tuesday, August 2, 2016 6:12 AM
    Moderator

All replies

  • Hi,

    Thanks for your post.

    This behavior is actually described in https://support.microsoft.com/en-us/kb/3163622. One way to fix this is to add "Authenticated Users" with Read permission into the Delegation tab. Another way is to add "Domain Computers" to Security Filtering list.

    Symptoms
    All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.

    Cause
    This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

    Resolution

    To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

    • Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
    • If you are using security filtering, add the Domain Computers group with read permission.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by 8eugene Tuesday, August 2, 2016 9:30 AM
    Tuesday, August 2, 2016 6:12 AM
    Moderator
  • Thank you for your answer.

    Should I edit all domain policies that have security filtered on user accounts or security groups ?

    Or maybe this applies to the new group policy objects only ?

    • Edited by 8eugene Tuesday, August 2, 2016 10:33 AM
    Tuesday, August 2, 2016 9:42 AM
  • Hi,

    Thanks for your reply.

    In my opinion, you just need to perform this setting to the previous domain policies once they encounter the same issue. Otherwise you do not have to do anything.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, August 3, 2016 2:01 AM
    Moderator