none
Group Policy is not applying on Security Group

    Question

  • Hello Friends,

    I am facing very strange issue in our environment, environment details and GPO details are as per below..

    1. Windows 2008 R2 Domain Controllers.

    2. Test GPO with Computer Settings has been created and Security Filtered on Security Group ( Global Security).

    3. Added Particular Computer into Security Group (Global Security).

    4. Linked GPO to Test OU and Moved Computer account to that Test OU.

    Obervation

    1. Policy is not applying on Computer.

    2. If I remove the Group from Security Filtering & Add Authenticated Users - Policy Applying.

    3. When I remove Group from Security Filtering & Add only Particular Test Computer - Policy Applying.

    Troubleshooting Done.

    As per MS https://support.microsoft.com/en-us/kb/3159398 provided the required read permission to "Authenticated Users" Group and "Domain Computers" Group, but still Policy is not applying when Security Filtering is enabled on Group. 

    In GPRESULT it is showing "Access Denied (Security Filtering) even after read permission to "Authenticated Users" Group and "Domain Computers" Group is provided.

    Please Suggest.


    MCP, MCTS

    Monday, July 25, 2016 12:32 PM

Answers

  • Thanks All,

    What I Observed is as per below..

    1. We have all Windows 2008 Servers, however there was requirement to set one registry settings only on Windows 10 clients, Item Level Targeting is the best option in this case if you want to push the group policy preference settings via GPO on particular OS.

    2. Since the Windows 10 OS Option is not available in Item Level Targeting when you edit the GPO from Windows 2008 Domain Controller, for this the option is Install the Admin Pack (RSAT) on Windows 2012 R2 or Windows 10 and edit the GPO, so i installed that on Windows 10 and created the Policy, added the settings for Windows 10.

    3. Instead of waiting for replication i am generally checking the logon server (DC using set l command) on test machine and edit the GPO by accessing that DC so i don't need to wait for replication and changes are reflecting quickly. 

    4. My Laptop is having Windows 10, I have Installed RSAT on it and also using it for testing the GPO, the Windows 10 Settings was not applying on my machine even after my Laptop was part of group on which i am doing the security filtering. (As stated in question, i want to do the security filtering to apply the setting on few machines)

    5. Finally I deleted the GPO which i created using my Laptop and created the new GPO on Windows 2008 DC, this time added the settings like policy should apply on all client machine except Windows 7, Windows XP, in this case policy will only apply on Windows 10.

    6. This time it worked, not sure how.

     


    MCP, MCTS

    Tuesday, July 26, 2016 10:35 AM

All replies

  • > 3. Added Particular Computer into Security Group (Global Security).
    >
    > 4. Linked GPO to Test OU and Moved Computer account to that Test OU.
     5. Rebootet computer to make it picking up group membership and DN change ?
     
     
    Monday, July 25, 2016 1:44 PM
  • Hi,
    It probably a matter of time, as client is not aware that the object has changed its OU location. I think you could look in the event log for DS related warnings or errors. And please try to restart the client and see if it applies correctly.
    It also depends upon the replication between DC and when the computer moved and has the replication taken place. You could also try to force replication between the DCs, then reboot the client and check again.
    Please see details from:
    GPO does not apply to a specific user or computer
    https://technet.microsoft.com/en-us/library/cc758759%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
    Regards,
    Wendy

    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, July 26, 2016 8:04 AM
    Moderator
  • Thanks All,

    What I Observed is as per below..

    1. We have all Windows 2008 Servers, however there was requirement to set one registry settings only on Windows 10 clients, Item Level Targeting is the best option in this case if you want to push the group policy preference settings via GPO on particular OS.

    2. Since the Windows 10 OS Option is not available in Item Level Targeting when you edit the GPO from Windows 2008 Domain Controller, for this the option is Install the Admin Pack (RSAT) on Windows 2012 R2 or Windows 10 and edit the GPO, so i installed that on Windows 10 and created the Policy, added the settings for Windows 10.

    3. Instead of waiting for replication i am generally checking the logon server (DC using set l command) on test machine and edit the GPO by accessing that DC so i don't need to wait for replication and changes are reflecting quickly. 

    4. My Laptop is having Windows 10, I have Installed RSAT on it and also using it for testing the GPO, the Windows 10 Settings was not applying on my machine even after my Laptop was part of group on which i am doing the security filtering. (As stated in question, i want to do the security filtering to apply the setting on few machines)

    5. Finally I deleted the GPO which i created using my Laptop and created the new GPO on Windows 2008 DC, this time added the settings like policy should apply on all client machine except Windows 7, Windows XP, in this case policy will only apply on Windows 10.

    6. This time it worked, not sure how.

     


    MCP, MCTS

    Tuesday, July 26, 2016 10:35 AM
  • I believe I know the answer to your problem. There has been MS Security update on 22/7/2016 which changed behaviour of GPOs with user settings!

    Up until now the GPOs with user settings were applied under user security context. Therefore policies got applied as long as the user was listed in the security filtering. But with the behaviour after the MS update they get applied under the computer context. So, if you have user in the security filtering it's not enough. You also need to have read permission for the computer from which the user accesses the GPO from. You dont have to list it in security filtering but you have to add at least READ permission on the delegation tab to the computer or a group which this computer is member of. See the link below which explains everything and also offers script to repair the affected GPOs. MS suggest to add READ permission for Authenticated Users to all GPOs (thats what the script they provide is for).

    This has been bugging me for weeks. I could noty work out why some GPOs suddenly stopped working. It's all because of this. I would appreciate if such a massibe change had more publicity because I was running totaly insecure environment for really long time because non of restrictive GPOs was getting applied. I hope this helps your case.

    https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/


    • Edited by Vitous Friday, October 7, 2016 11:34 AM
    • Proposed as answer by Vitous Friday, October 7, 2016 1:17 PM
    Friday, October 7, 2016 11:33 AM
  • Vitous.....you da man.
    Tuesday, June 13, 2017 8:42 PM