Security Filtering with group policy on "groups"


  • Hi, for some time i have had a selection of top level policies just under the default domain policy which were enforced to trickle down into the OU's below. They were policies that set desktop lock times for different groups. Examples being IT Admin group, Staff group and so on.

    I had applied security filtering and entered the group for each policy to apply so:

    IT Admin Lock - 5 Minutes - Security filter = domain admins

    Staff lock - 20 minutes - Security filter = staff

    For some reason I could only get desktop locking to work when the policies were at the top level above the general Staff OUs.

    Anyway it worked for a year beautifully.

    however now it does not work anymore and I cannot make sense of it. When I do a gpresult /r for a staff user I see the policy was not applied (Unknown reason). When I investigated further it says the policy was either empty, or inaccessible or something else which I cant remember while typing this.

    If I go to security filtering and change staff to Authenticated users and then try again, the policy is applied and works perfectly however this wont work in my scenario because I want different lock times for different groups. If I tried just entering a user name in security filtering it wont work either.

    I read somewhere security filtering doesn't work for security groups which I think is odd, and what makes it stranger is that it has worked like this for the last year.

    I cannot apply the lock polcies at OU level, for example at the StaffOU level because then the policy never actually works even though it says it applies which seems to me that I have to do it top level under default domain policy.

    does anybody know why suddenly it would stop working ? I'm stumped.. I can only make it work if I set security filter to authenticated users which is not the solution in my situation.

    Thanks for any input.

    Friday, August 7, 2015 6:26 PM


All replies