1

I am trying to apply a GPO to a security group rather than the Entire OU. I also have to mentione it is a group with User Objects and not Computer Objects.

I apply the GPO object to the user OU I wish to apply it to. In the Scope and Delegation tab, I remove Authenticated Users and add the security group I wish for it to apply to. Also read on some forums to add Domain Computers group with Read permissions and I have done so as well.

If I leave authenticated users with Read and apply permissions, the GPO works successfully. However, I don’t wanna do this because I only want a certain group people to receive such setting.

Does anyone know how to make this work?

Thanks

8 Spice ups
2

You should have it correct if the security group containing the users has read and apply permissions to the GPO; and the computer objects have read permissions to the GPO, and you are trying to apply user policies and not computer policies. You can’t have computer policies applied based upon which user logs in. You can only selectively apply user policies this way.

3 Spice ups
3

You’ll need the read delegation for authenticated users. This is due to a change in the way User GPOs are processed.
User GPOs are now read by the computer object before applying to the user object. This is due to a security concern patched in ms16-072

Add authenticated users with a read delegation and apply to your group.

Also is this a new group? Did you relog the users? Group changes are applied on logon.

Make sure the user is part of the group

Whoami /groups

Then run gpresult /r under the users context in cmd and see what it outputs for your new GPO.

3 Spice ups
4

Depending on what you’re doing you might be able to use Targeted Deployment. If you’re mapping a drive, say accounting, you can setup the GPO to do this on the User Side or even Computer side and then use the other tab to select targeted.
If it’s something that doesn’t have this option then you’re going about it right like the others have said.

How you’re currently doing it like the others have mentioned: Assign Security Group Filters to the GPO | Microsoft Learn

How you can do it inside the GPO if it’s an option aka targeting: How To Map Network Drives With Group Policy (Complete Guide) - Active Directory Pro

2 Spice ups
5

I agree with the above post and was going to recommend item level targeting.

1 Spice up
6
  1. Remove authenticated users from the apply tab.
  2. Go to the delegation tab and add authenticated users back.
  3. Go back to the applies to tab and add the group you WANT the gpo to apply to.
7

Hi All,

@moorebeers ​ Thanks, and yes, item level targeting works great for drive mapping, that’s how I have it set up.

@jhart ​ and @kevinhsieh

I’ve tried what you guys have told me, And still no go. Here is a quick screen shot of the settings I’ve applied in the Delegation Tab.

I’ve made sure the user is part of the group (USB Blocking) and he is now; verified through the whoami /groups command.

I also tried adding Domain Computers with read permissions and still no go.

Do you guys think I am missing something? The user is part of the OU where the GPO is being applied as well.

tempsnip.png
tempsnip.png685×679 29.7 KB
8

USB blocking is a computer policy, not a user policy. You can’t apply computer policies to users, only computers. You will not be able to have USB blocking follow users, as it will need to be applied to the computer and will be in force for all users of the computer.

There is a way to get user policies to apply to computers (GPO loopback processing), but no way to get computer policies to apply to users.

3 Spice ups
9

@kevinmhsieh I think you nailed it. I was trying to rack my brain about this and I’m not sure there’s another way. I’ll dig around but I think you’re right.

1 Spice up
10

I did mention it in the first comment… :wink:

11

@kevinhsieh

Please don’t think I am trying to contradict you but I went the User route since I found this setting (picture below).

However, I did change it to apply to computers and not users. So now I went to Computer Configuration, Enabled the setting, and added the computer object to the security group instead of the user, still no go. If I check the Apply To setting for Authenticated Users it works just fine.

So it looks like I get the same result whether it’s targeting a Security Group with Computer Objects or User Objects.

What do you think might be going wrong?

Capture.png
Capture.png800×301 78.7 KB
12

Please show a screenshot of the security filtering.

13

@kevinhsieh
It looks it might be working!
I’m gonna do a bit more testing today to make sure it is consistent but what it seems have to done it was to add Domain Computers with Read access. Additionally to adding Authenticate Users with Read access.
Does that sound like something that would make sense? After my testing, it looks like that’s what did it. I’ll keep you posted!

14

Domain computers were supposed to have read access. You said that they did in the original post.

If authenticated users have access, then it will apply to all users located below wherever you link the GPO, just like regular GPO.

My understanding from your goal is you want to apply to only a subset of users, defined by a group. Authenticated users need to be removed from read and apply. It is okay to have authenticated users to have read, but they must not have apply. Note that Domain Computers is a member of Authenticated Users, so either of those would need read access. The security group needs read and apply.

15

@kevinhsieh

Sorry, very true I did. I forgot to mention I removed and assumed it was noticed when I sent the screen shot.

But yes, it is working with all that you mentioned. I’ve tested and it’s all working.

Thank you so much for the help!