none
Unexpected issue with GPO

    Question

  • Hi,

    I have created one GPO with some security settings suggested by our security team. The GPO contains only Computer Settings. I had to apply it to the OU with 80 computer accounts (Hyper-V servers). I have put those 80 computers in a Group and then add that group into the security filtering of that GPO. Then I linked that GPO to that specific OU, containing those servers. 

    Everything goes well for almost 15 days.

    Then I thought that since the settings needs to be implemented to all the computers in that OU, I have deleted the group from security filtering and add "Authenticated Users" in the security filtering.

    Once the replication done, I have lost connection to ALL computers in the entire domain. All Hyper-V host was down and I was not able to connect to ANY computers, including the DC as it was also the VM. I have accessed the physical host and took the console of DC and unlink that GPO from that OU which fixed the issue.

    Now my question is, what exactly went wrong? I have just changed the security filtering to "Authenticated Users" from computers accounts. Why it was working when Computer accounts were added in the security filtering and why it wend down after I have added the "Authenticated Users" account. Anyhow we had to apply that GPO to all the computers inside that OU. Also there was not any User related settings in that GPO. Can someone please help me understand this?

    Thanks!

    Nilabh Verma

    Friday, May 24, 2019 10:19 AM

All replies

  • Have you tried with disabling user setting. Can you port the Gpresult from affected machine.

    For Authenticated Users by default, the GPO will apply to all users or computers in the container which the GPO is linked to.

    Security Filtering: GPO will apply to only the added object (User or Computer).

    So better take a test machine and compare the GPResult of when applied through Security filtering and Authenticated user.

    • Edited by Partha1012 Friday, May 24, 2019 12:59 PM
    Friday, May 24, 2019 12:53 PM
  • Hello,
    Thank you for posting in our TechNet forum.

    According to my understanding, now there is no GPO issue during our work, is that right?

    According to our description "Anyhow we had to apply that GPO to all the computers inside that OU", I think we can achieve based on the following methods:

    Method 1
    1. Create an new OU, put all the computers objects ( NOT one computer group object) we want (maybe these computers are partial machines in the domain) into this OU.
    2. Cerate a GPO, edit it and link it to the above OU in step 1.
    3. Run gpupdate /force command or restart the computer to make the GPO take effect.


    Method 2
    1. Create a GPO, edit it and link it to domain level ( we apply this GPO to all the computers in the domain).
    2
    . Run gpupdate /force command or restart the computer to make the GPO take effect.

    In our case, I am not sure why do we use "Security filtering" option.



    We can try to compare the group policy settings (including user policies and computer policies) when there is no such issue (add computer group in Security filtering)and when we have such issue (remove computer group and add Authenticated Users in Security filtering) .


    For user configuration:

    1. Logon one client with domain user account.
    2. Create a new folder in C drive named Folder.
    3. Open CMD, type gpresult /h C:\Folder\report.html and click Enter.
    4. Open report file to check the policies under User Configuration.

    For computer configuration:

    1. Logon one client with Administrator.
    2. Open CMD, run as administrator.
    3. Type gpresult /h C:\report.html and click Enter.
    4. Open report file to check the policies under Computer Configuration.



    If it does not work,
    please confirm the following information:

    1. What security settings do we configure?

    2. According to "The GPO contains only Computer Settings",
    is the GPO we mentioned a new GPO or an existing GPO?
    is the GPO we mentioned default domain policy or default domain controller policy?
    is the GPO we mentioned without any group policy setting(without any user setting or without any computer setting) ?
    is the GPO we mentioned with other group policy setting (only computer settings)?

    3. According to "I had to apply it to the OU with 80 computer accounts (Hyper-V servers)", does it include Domain controllers within 80 computer accounts?




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 27, 2019 6:19 AM
    Moderator
  • Hi Partha,

    First of all I would like to let you know that the issue got resolved after removing Authenticated users from the security filter. Currently I have added all 80 computers in the security filter and there is no issue.

    - The settings are related to security, such as encryption, NTLM, authentication ect.

    - The GPO is the new one, we created few days ago.

    - This GPO doesn't have any domain or domain controller policies. These are customized settings we set up in this GPO.

    - All settings are computer settings, not even a single user settings.

    - The GPO is implemented only in ONE OU, containing Hyper-V servers (normal computer accounts). No Domain Controllers are there.

    - GPResult is working fine and shows that this GPO is properly implementing to all computers.

    I want to know why it's creating issue when I add "Authenticated Users" in security filter and why it's working fine if I add all computer accounts individually in security filter. There is no user settings in the GPO, neither we have any user account in that OU. Theoretically there should not be any impact whether we add individual computers or authenticated users. 


    Regards, Nilabh Verma


    Monday, May 27, 2019 9:49 AM
  • Hi Daisy,

    First of all I would like to let you know that the issue got resolved after removing Authenticated users from the security filter. Currently I have added all 80 computers in the security filter and there is no issue. Now come to your questions:

    - The settings are related to security, such as encryption, NTLM, authentication ect.

    - The GPO is the new one, we created few days ago.

    - This GPO doesn't have any domain or domain controller policies. These are customized settings we set up in this GPO.

    - All settings are computer settings, not even a single user settings.

    - The GPO is implemented only in ONE OU, containing Hyper-V servers (normal computer accounts). No Domain Controllers are there.

    - GPResult is working fine and shows that this GPO is properly implementing to all computers.

    I want to know why it's creating issue when I add "Authenticated Users" in security filter and why it's working fine if I add all computer accounts individually in security filter. There is no user settings in the GPO, neither we have any user account in that OU. Theoretically there should not be any impact whether we add individual computers or authenticated users. 


    Regards, Nilabh Verma

    Monday, May 27, 2019 9:58 AM
  • Hi,
    I think we can try the Method 1 and Method 2 without configuring "Security filtering" option.

    For more information about 
    Security Filtering, we can refer to the following article:Group Policy Security Filtering
    http://www.rebeladmin.com/2018/04/group-policy-security-filtering/


    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.


    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 28, 2019 9:58 AM
    Moderator
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 30, 2019 2:32 AM
    Moderator
  • Hi,
    Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
     
    Again thanks for your time and have a nice day!




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, June 3, 2019 7:29 AM
    Moderator