Answered by:
Security Filtering with group policy on "groups"

-
Hi, for some time i have had a selection of top level policies just under the default domain policy which were enforced to trickle down into the OU's below. They were policies that set desktop lock times for different groups. Examples being IT Admin group, Staff group and so on.
I had applied security filtering and entered the group for each policy to apply so:
IT Admin Lock - 5 Minutes - Security filter = domain admins
Staff lock - 20 minutes - Security filter = staff
For some reason I could only get desktop locking to work when the policies were at the top level above the general Staff OUs.
Anyway it worked for a year beautifully.
however now it does not work anymore and I cannot make sense of it. When I do a gpresult /r for a staff user I see the policy was not applied (Unknown reason). When I investigated further it says the policy was either empty, or inaccessible or something else which I cant remember while typing this.
If I go to security filtering and change staff to Authenticated users and then try again, the policy is applied and works perfectly however this wont work in my scenario because I want different lock times for different groups. If I tried just entering a user name in security filtering it wont work either.
I read somewhere security filtering doesn't work for security groups which I think is odd, and what makes it stranger is that it has worked like this for the last year.
I cannot apply the lock polcies at OU level, for example at the StaffOU level because then the policy never actually works even though it says it applies which seems to me that I have to do it top level under default domain policy.
does anybody know why suddenly it would stop working ? I'm stumped.. I can only make it work if I set security filter to authenticated users which is not the solution in my situation.
Thanks for any input.
Question
Answers
-
> Well loopback is not enabled on those policies however loopback is> enabled on computer policies in lower OU's.Loopback is not a setting "per GPO", but for the computer. If it isenabled anywhere, it will change GPO processing order for user GPOs.
Greetings/Grüße, Martin
Mal ein gutes Buch über GPOs lesen?
Good or bad GPOs? - my blog…
And if IT bothers me - coke bottle design refreshment (-:- Proposed as answer by Amy Wang_Microsoft contingent staff, Moderator Wednesday, September 02, 2015 3:28 AM
- Marked as answer by Amy Wang_Microsoft contingent staff, Moderator Tuesday, September 08, 2015 8:43 AM
-
> head around is that if I set security filtering to authenticated users> for the top level lock policy (enforced) then the lock policies work> perfectly and that is without changing any loopback settings in any OU's.If you have loopback "merge" enabled, computers need read access to GPOsto apply them. auth users includes domain computers and domain users, soit works.If you change to a group containing only users, computers cannot accessanymore and it fails. You need to add "domain computers" to make it workagain.At least if it's really loopback related :)
Greetings/Grüße, Martin
Mal ein gutes Buch über GPOs lesen?
Good or bad GPOs? - my blog…
And if IT bothers me - coke bottle design refreshment (-:- Proposed as answer by Amy Wang_Microsoft contingent staff, Moderator Monday, August 24, 2015 2:13 PM
- Marked as answer by dubsdj - MCITP - CCA-V Friday, August 28, 2015 11:42 AM
All replies
-
> however now it does not work anymore and I cannot make sense of it. When> I do a gpresult /r for a staff user I see the policy was not appliedDo a "gpresult /h report.html". Then examine which GPO sets thetimeouts, and examine the denied GPOs section of the report.> If I go to security filtering and change staff to Authenticated users> and then try again, the policy is applied and works perfectly however> I cannot apply the lock polcies at OU level, for example at the StaffOU> level because then the policy never actually worksHmmm... Loopback "Merge" enabled by accident?
Greetings/Grüße, Martin
Mal ein gutes Buch über GPOs lesen?
Good or bad GPOs? - my blog…
And if IT bothers me - coke bottle design refreshment (-: -
Well loopback is not enabled on those policies however loopback is enabled on computer policies in lower OU's.
However like I said if I set security filtering to authenticated users then the policies work.. But if I set it to a security group like staff then the lock policy is not applied.
-
> Well loopback is not enabled on those policies however loopback is> enabled on computer policies in lower OU's.Loopback is not a setting "per GPO", but for the computer. If it isenabled anywhere, it will change GPO processing order for user GPOs.
Greetings/Grüße, Martin
Mal ein gutes Buch über GPOs lesen?
Good or bad GPOs? - my blog…
And if IT bothers me - coke bottle design refreshment (-:- Proposed as answer by Amy Wang_Microsoft contingent staff, Moderator Wednesday, September 02, 2015 3:28 AM
- Marked as answer by Amy Wang_Microsoft contingent staff, Moderator Tuesday, September 08, 2015 8:43 AM
-
Hi I appreciate what you are saying and understand that computer policies are for computers, however what I am not managing to get my head around is that if I set security filtering to authenticated users for the top level lock policy (enforced) then the lock policies work perfectly and that is without changing any loopback settings in any OU's.
many thanks
-
> head around is that if I set security filtering to authenticated users> for the top level lock policy (enforced) then the lock policies work> perfectly and that is without changing any loopback settings in any OU's.If you have loopback "merge" enabled, computers need read access to GPOsto apply them. auth users includes domain computers and domain users, soit works.If you change to a group containing only users, computers cannot accessanymore and it fails. You need to add "domain computers" to make it workagain.At least if it's really loopback related :)
Greetings/Grüße, Martin
Mal ein gutes Buch über GPOs lesen?
Good or bad GPOs? - my blog…
And if IT bothers me - coke bottle design refreshment (-:- Proposed as answer by Amy Wang_Microsoft contingent staff, Moderator Monday, August 24, 2015 2:13 PM
- Marked as answer by dubsdj - MCITP - CCA-V Friday, August 28, 2015 11:42 AM