none
GPO not apply to security group

    Pregunta

  • Hi,

    I have Windows 2008 R2 domain. I want to replace the members of local administrators group on part of domain computers with the Domain Admin groups by GPO. 

    I first created a security group name GroupA and added the group of computer accounts to the group. Then I created an OU named OUA in the domain and moved GroupA under OUA. Next I created a GPO and configured Computer configuration\Policies\Windows Settings\Security Settings\Restricted Groups and added Administrators group, then added the Domain Admin group in it. 

    I linked this GPO to the OUA and removed Authenticated user in Security Filtering, instead I added GroupA into it.

    I rebooted the client's computer, but the GPO doesn't work. I ran "gpresult /Scope Computer /v" and I didn't see the GPO applied. 

    I moved the computer to the OUA and the GPO works.

    So the GPO works. it's just the Security Filtering not work. Where did I miss?

    Need help! 

    Thanks in advance!


    Grace

    miércoles, 4 de julio de 2018 0:01

Respuestas

  • Authenticated Users must have read access to the GPO for the computer to process the policy correctly. Add Read Authenticated Users back to the GPO under advanced but untick the "Apply" permission. That way the GPO will be able to be read by the computer object and process the request as required. 

    Alan Burchill (MVP)
    http://www.grouppolicy.biz

    @alanburchill

    • Propuesto como respuesta Alan Burchill miércoles, 4 de julio de 2018 0:38
    • Marcado como respuesta graceyin39 viernes, 6 de julio de 2018 21:49
    miércoles, 4 de julio de 2018 0:38

Todas las respuestas

  • Authenticated Users must have read access to the GPO for the computer to process the policy correctly. Add Read Authenticated Users back to the GPO under advanced but untick the "Apply" permission. That way the GPO will be able to be read by the computer object and process the request as required. 

    Alan Burchill (MVP)
    http://www.grouppolicy.biz

    @alanburchill

    • Propuesto como respuesta Alan Burchill miércoles, 4 de julio de 2018 0:38
    • Marcado como respuesta graceyin39 viernes, 6 de julio de 2018 21:49
    miércoles, 4 de julio de 2018 0:38
  • Hello,

    Thanks for your post.

    According to my knowledge, since the policy [Restricted Groups] is under Computer Configuration, it should be applied to the OU that contains computer objects. Otherwise it would not take effect.

    As a suggestion, I think we should re-add Authenticated Users to Security Filtering.

    [Computer Configuration]: With Computer Configuration in Group Policy, you can set policies that are applied to computers, regardless of who logs on to the computers.

    More information about Security filtering using GPMC please refer to the following link:

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc781988(v=ws.10)

    Hope above information can help you. If you have anything unclear, please feel free to let me know.

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    jueves, 5 de julio de 2018 1:45
  • Hi Alan,

    It works after adding Authentication User back with read permission.

    Thank you for your help!


    Grace

    viernes, 6 de julio de 2018 21:52
  • Hi Kallen,

    Thank you for your reply. You are right, Computer Configuration GPO can only apply to OU. I made mistake of removing Authenticated Users.

    Thanks,


    Grace

    viernes, 6 de julio de 2018 21:58
  • Hi,

     

    I am glad to hear that your issue was successfully resolved.

    If there is anything else we can do for you, please feel free to post in the forum.

     

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    viernes, 13 de julio de 2018 8:50