none
Group Policy Securit Filtering not working on Groups & Computers.

    Question

  • 1. I have created one policy having some service marked as automatic with adding some service accounts.

    2. Service account added to Administrators group via GPO

    3. All the above policies are computer configuration and user configuration is disable.

    Try to add both Computer individually and through group but GPO not working.


    Single DC installed, windows server 2008 R2- SP1. and other server are 2008 x86 - SP2.

    DC function level is 2003.
    Saturday, May 28, 2016 11:11 AM

Answers

  • Hi Vikramaery,

    Thanks for your post.

    2. Service account added to Administrators group via GPO

    >>>How did you configure this? By restricted group?

    If you add the service account to administrators by Restricted group, first, you need create a GPO link to a COMPUTER OU.

    2. Removed the Authenticated users and added group which having machines.

    >>>If you remove Authenticated user from security filtering, and add a computer group. The member of the group should be included in the COMPUTER OU.

    To configure Restricted Group

    1. Right-click Restricted Groups and click Add group
    2. Click Browse, then type Administrators
    3. Click Ok, double-click Administrators and click Add under Members of this group
    4. Add the service account

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Vikram Aery Monday, June 13, 2016 7:14 AM
    Wednesday, June 8, 2016 10:33 AM
    Moderator

All replies

  • You need to pul a RSoP (Resulting Set of Policies) and see if your policy gets applied at all.

    Usually you would be able to see why it doesn't get applied from the RSoP as well.

    https://mizitechinfo.wordpress.com/2013/08/18/simple-guide-generate-rsop-reports-with-gpresult-exe-in-window-server-2012-r2/


    Evgenij Smirnov

    msg services ag, Berlin -> http://www.msg-services.de
    my personal blog (mostly German) -> http://it-pro-berlin.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com

    In theory, there is no difference between theory and practice. In practice, there is.

    Saturday, May 28, 2016 8:29 PM
  • Hi Thanks for you reply.

    But i am applying GP via security filtering.

    Below are the points.

    1. Created one GP.

    2. Removed the Authenticated users and added group which having machines.

    3. Added one group having GP(service status mark as automatic & added service account to administrative group).

    4. GPResult don't show anything.

    Thanks

    Sunday, May 29, 2016 9:57 AM
  • Hi,

    "GPResult don't show anything" is not good enough. You should be seeing

    • whether the policy has been applied
    • if it hasn't, the reason for it
    • the target user's and/or computer's security group memberships at the time GPResult has run

    Is the new GP actually linked to an OU containing the target computer? Is the inheritance broken somwhere along the tree?

    I suggest you post your GPResult here.


    Evgenij Smirnov

    msg services ag, Berlin -> http://www.msg-services.de
    my personal blog (mostly German) -> http://it-pro-berlin.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com

    In theory, there is no difference between theory and practice. In practice, there is.

    Sunday, May 29, 2016 10:13 AM
  • So does mean the what is written in GPMC console that for Group.Users, Computer will work on some of the things. I will also check the same while removing the computer object and using the same policy with User object does it affect or not.
    Sunday, May 29, 2016 10:28 AM
  • If it was a question, please rephrase it so I can understand it. If it wasn't, please specify if you need further assistance.

    Evgenij Smirnov

    msg services ag, Berlin -> http://www.msg-services.de
    my personal blog (mostly German) -> http://it-pro-berlin.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com

    In theory, there is no difference between theory and practice. In practice, there is.

    Sunday, May 29, 2016 5:17 PM
  • Thanks for you reply.

    Please share your English language blog/website/forum.

    But seems still my issue is open and will work if instead of using computer machine will try to use USER object it may help to apply the policy

    Unfortunate,tly my question is still open that does it works or not. Please share any technet URL so can have documented thing for future. 

    Monday, May 30, 2016 6:39 AM
  • Hi Again,

    So while doing the testing, do we need to attach the policy where I have added the security group need to attach to the ou where computer object persist. Or if I use loopback policy(will update the same).

    Wednesday, June 8, 2016 3:21 AM
  • You need to attach the policy to the OU (or above it in the tree) where the target computer object resides.

    Evgenij Smirnov

    msg services ag, Berlin -> http://www.msg-services.de
    my personal blog (mostly German) -> http://it-pro-berlin.de
    Windows Server User Group, Berlin -> http://www.winsvr-berlin.de
    Mark Minasi Technical Forum, reloaded -> http://newforum.minasi.com

    In theory, there is no difference between theory and practice. In practice, there is.

    Wednesday, June 8, 2016 4:21 AM
  • Hi Vikramaery,

    Thanks for your post.

    2. Service account added to Administrators group via GPO

    >>>How did you configure this? By restricted group?

    If you add the service account to administrators by Restricted group, first, you need create a GPO link to a COMPUTER OU.

    2. Removed the Authenticated users and added group which having machines.

    >>>If you remove Authenticated user from security filtering, and add a computer group. The member of the group should be included in the COMPUTER OU.

    To configure Restricted Group

    1. Right-click Restricted Groups and click Add group
    2. Click Browse, then type Administrators
    3. Click Ok, double-click Administrators and click Add under Members of this group
    4. Add the service account

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Vikram Aery Monday, June 13, 2016 7:14 AM
    Wednesday, June 8, 2016 10:33 AM
    Moderator
  • Monday, June 13, 2016 7:14 AM