\nWould this do it… if I have the policy under the OU of all machines and then in the AD group have the test machines, then link this AD group into the security filtering alongside Domain Users for the policy. That should only apply the policy to all users on those test machines, not the live ones…?
However to answer your question yes. If you want a GPO with loopback to apply you will need a group with both the computer objects you want as well as the user objects you want. Without them both loopback policies will be denied.<\/p>","upvoteCount":2,"datePublished":"2017-10-12T16:08:51.000Z","url":"https://community.spiceworks.com/t/apply-gpo-to-ou-containing-computers/611739/11","author":{"@type":"Person","name":"justin1250","url":"https://community.spiceworks.com/u/justin1250"}},"suggestedAnswer":[{"@type":"Answer","text":"
Is it possible to assign a GPO to only computers within an OU without having any group listed in security filtering? I have a policy that contains both user and computer configurations with loopback enabled and I need it to apply to to a OU group containing computers only. I’ve specified a security group containing the computers but its not applying on the computer as it says in GPRESULT, access denied (Security Filtering) even though it’s in the group to get the policy<\/p>","upvoteCount":5,"datePublished":"2017-10-12T14:23:27.000Z","url":"https://community.spiceworks.com/t/apply-gpo-to-ou-containing-computers/611739/1","author":{"@type":"Person","name":"lukegibbons","url":"https://community.spiceworks.com/u/lukegibbons"}},{"@type":"Answer","text":"
I guess the question is can I have the policies under an OU an have nothing listed in Security Filtering as the default group is Authorised Users. Can I remove this and just apply to the OU it’s linked to?<\/p>","upvoteCount":0,"datePublished":"2017-10-12T14:28:04.000Z","url":"https://community.spiceworks.com/t/apply-gpo-to-ou-containing-computers/611739/2","author":{"@type":"Person","name":"lukegibbons","url":"https://community.spiceworks.com/u/lukegibbons"}},{"@type":"Answer","text":"
No.<\/p>\n
It wont apply if there is nothing in the filter there.<\/p>\n
Authenticated Users is generally a good idea to use unless you dont want it.<\/p>\n
It is a general term for authenticated user logons as well as computer logons, so it works with Computer GPOs.<\/p>","upvoteCount":0,"datePublished":"2017-10-12T14:36:50.000Z","url":"https://community.spiceworks.com/t/apply-gpo-to-ou-containing-computers/611739/3","author":{"@type":"Person","name":"matt234","url":"https://community.spiceworks.com/u/matt234"}},{"@type":"Answer","text":"\n\n
<\/div>\n
lukegibbons:<\/div>\n
\nI guess the question is can I have the policies under an OU an have nothing listed in Security Filtering as the default group is Authorised Users. Can I remove this and just apply to the OU it’s linked to?<\/p>\n<\/blockquote>\n<\/aside>\n
Security filtering works based on Groups/object accounts, not OUs. Links determine OU application.<\/p>\n\n\n
<\/div>\n
lukegibbons:<\/div>\n
\nIs it possible to assign a GPO to only computers within an OU without having any group listed in security filtering? I have a policy that contains both user and computer configurations with loopback enabled and I need it to apply to to a OU group containing computers only. I’ve specified a security group containing the computers but its not applying on the computer as it says in GPRESULT, access denied (Security Filtering) even though it’s in the group to get the policy<\/p>\n<\/blockquote>\n<\/aside>\n
If you have loopback turned on anything you have in the user configuration will apply to all users who log in to that set of machines. You are getting an error because of the security filtering plus the loopback. For the security filtering to work with loopback both the user and the computer must have the apply delegation. If you have this policy linked to an OU of only machine objects it will only apply the user configurations to these machines when a user logs into these machines specifically. It will not apply the user configurations anywhere else so long as the policy is not linked to an OU of users.<\/p>","upvoteCount":0,"datePublished":"2017-10-12T14:38:04.000Z","url":"https://community.spiceworks.com/t/apply-gpo-to-ou-containing-computers/611739/4","author":{"@type":"Person","name":"justin1250","url":"https://community.spiceworks.com/u/justin1250"}},{"@type":"Answer","text":"
So the policy can stay as it is but what do I need in security Filtering then, Authenticated Users? Because this is a test policy and not live I wanted it to apply to only the computers in the AD group which is why I added the group into the Filtering<\/p>","upvoteCount":0,"datePublished":"2017-10-12T14:44:09.000Z","url":"https://community.spiceworks.com/t/apply-gpo-to-ou-containing-computers/611739/5","author":{"@type":"Person","name":"lukegibbons","url":"https://community.spiceworks.com/u/lukegibbons"}},{"@type":"Answer","text":"\n\n
<\/div>\n
lukegibbons:<\/div>\n
\nSo the policy can stay as it is but what do I need in security Filtering then, Authenticated Users? Because this is a test policy and not live I wanted it to apply to only the computers in the AD group which is why I added the group into the Filtering<\/p>\n<\/blockquote>\n<\/aside>\n
You need to make a test OU for testing GPOs<\/p>","upvoteCount":1,"datePublished":"2017-10-12T14:58:56.000Z","url":"https://community.spiceworks.com/t/apply-gpo-to-ou-containing-computers/611739/6","author":{"@type":"Person","name":"davidr4","url":"https://community.spiceworks.com/u/davidr4"}},{"@type":"Answer","text":"
Making test OU’s is not really something we do which is why I had to make a test policy and apply it to only my test pcs, how do I successfully accomplish this without making a test OU<\/p>","upvoteCount":0,"datePublished":"2017-10-12T15:23:54.000Z","url":"https://community.spiceworks.com/t/apply-gpo-to-ou-containing-computers/611739/7","author":{"@type":"Person","name":"lukegibbons","url":"https://community.spiceworks.com/u/lukegibbons"}},{"@type":"Answer","text":"
Would this do it… if I have the policy under the OU of all machines and then in the AD group have the test machines, then link this AD group into the security filtering alongside Domain Users for the policy. That should only apply the policy to all users on those test machines, not the live ones…?\n\n
<\/div>\n
lukegibbons:<\/div>\n
\nMaking test OU’s is not really something we do which is why I had to make a test policy and apply it to only my test pcs, how do I successfully accomplish this without making a test OU<\/p>\n<\/blockquote>\n<\/aside>\n
You … test new GPOs in your production environment? How do you still have a job?<\/p>","upvoteCount":3,"datePublished":"2017-10-12T15:55:27.000Z","url":"https://community.spiceworks.com/t/apply-gpo-to-ou-containing-computers/611739/9","author":{"@type":"Person","name":"brycekatz","url":"https://community.spiceworks.com/u/brycekatz"}},{"@type":"Answer","text":"
We’re a hospital so we don’t go around changing OU structure as a rule that’s why I have to find alternative ways around an otherwise simple solution, I know creating a test OU would just solve everything but we can’t do it like that<\/p>","upvoteCount":0,"datePublished":"2017-10-12T15:58:29.000Z","url":"https://community.spiceworks.com/t/apply-gpo-to-ou-containing-computers/611739/10","author":{"@type":"Person","name":"lukegibbons","url":"https://community.spiceworks.com/u/lukegibbons"}},{"@type":"Answer","text":"
You do have a point and I suppose I am taking answers off random people but I also have common sense and knowledge in Group Policy so I know what your suggestions will do to the environment, I’m only asking to get other suggestions to see if there’s better ways of doing things. But on another note thanks for answering the question at least I know that’ll be the most viable solution for testing<\/p>","upvoteCount":0,"datePublished":"2017-10-12T16:14:19.000Z","url":"https://community.spiceworks.com/t/apply-gpo-to-ou-containing-computers/611739/12","author":{"@type":"Person","name":"lukegibbons","url":"https://community.spiceworks.com/u/lukegibbons"}},{"@type":"Answer","text":"\n\n
<\/div>\n
lukegibbons:<\/div>\n
\nWe’re a hospital so we don’t go around changing OU structure as a rule that’s why I have to find alternative ways around an otherwise simple solution, I know creating a test OU would just solve everything but we can’t do it like that<\/p>\n<\/blockquote>\n<\/aside>\n
No offense (like that really means something), but that is the silliest thing I have ever heard. I have worked with plenty of Dr’s offices and hospitals. Those are the places where you most definitely need a test environment before pushing something out.<\/p>","upvoteCount":1,"datePublished":"2017-10-12T17:49:55.000Z","url":"https://community.spiceworks.com/t/apply-gpo-to-ou-containing-computers/611739/13","author":{"@type":"Person","name":"davidr4","url":"https://community.spiceworks.com/u/davidr4"}}]}}
Is it possible to assign a GPO to only computers within an OU without having any group listed in security filtering? I have a policy that contains both user and computer configurations with loopback enabled and I need it to apply to to a OU group containing computers only. I’ve specified a security group containing the computers but its not applying on the computer as it says in GPRESULT, access denied (Security Filtering) even though it’s in the group to get the policy
5 Spice ups
I guess the question is can I have the policies under an OU an have nothing listed in Security Filtering as the default group is Authorised Users. Can I remove this and just apply to the OU it’s linked to?
matt234
October 12, 2017, 2:36pm
3
No.
It wont apply if there is nothing in the filter there.
Authenticated Users is generally a good idea to use unless you dont want it.
It is a general term for authenticated user logons as well as computer logons, so it works with Computer GPOs.
justin1250
October 12, 2017, 2:38pm
4
Security filtering works based on Groups/object accounts, not OUs. Links determine OU application.
lukegibbons:
Is it possible to assign a GPO to only computers within an OU without having any group listed in security filtering? I have a policy that contains both user and computer configurations with loopback enabled and I need it to apply to to a OU group containing computers only. I’ve specified a security group containing the computers but its not applying on the computer as it says in GPRESULT, access denied (Security Filtering) even though it’s in the group to get the policy
If you have loopback turned on anything you have in the user configuration will apply to all users who log in to that set of machines. You are getting an error because of the security filtering plus the loopback. For the security filtering to work with loopback both the user and the computer must have the apply delegation. If you have this policy linked to an OU of only machine objects it will only apply the user configurations to these machines when a user logs into these machines specifically. It will not apply the user configurations anywhere else so long as the policy is not linked to an OU of users.
So the policy can stay as it is but what do I need in security Filtering then, Authenticated Users? Because this is a test policy and not live I wanted it to apply to only the computers in the AD group which is why I added the group into the Filtering
davidr4
October 12, 2017, 2:58pm
6
You need to make a test OU for testing GPOs
1 Spice up
Making test OU’s is not really something we do which is why I had to make a test policy and apply it to only my test pcs, how do I successfully accomplish this without making a test OU
Would this do it… if I have the policy under the OU of all machines and then in the AD group have the test machines, then link this AD group into the security filtering alongside Domain Users for the policy. That should only apply the policy to all users on those test machines, not the live ones…?
brycekatz
October 12, 2017, 3:55pm
9
You … test new GPOs in your production environment? How do you still have a job?
3 Spice ups
We’re a hospital so we don’t go around changing OU structure as a rule that’s why I have to find alternative ways around an otherwise simple solution, I know creating a test OU would just solve everything but we can’t do it like that
justin1250
October 12, 2017, 4:08pm
11
Well, I would really push whoever is in charge to let you use a test OU as this is the safest course of action. Cause you never know, I mean you are taking advice from random people on the internet about a production environment and well it is a hospital.
lukegibbons:
Would this do it… if I have the policy under the OU of all machines and then in the AD group have the test machines, then link this AD group into the security filtering alongside Domain Users for the policy. That should only apply the policy to all users on those test machines, not the live ones…?
However to answer your question yes. If you want a GPO with loopback to apply you will need a group with both the computer objects you want as well as the user objects you want. Without them both loopback policies will be denied.
2 Spice ups
You do have a point and I suppose I am taking answers off random people but I also have common sense and knowledge in Group Policy so I know what your suggestions will do to the environment, I’m only asking to get other suggestions to see if there’s better ways of doing things. But on another note thanks for answering the question at least I know that’ll be the most viable solution for testing
davidr4
October 12, 2017, 5:49pm
13
No offense (like that really means something), but that is the silliest thing I have ever heard. I have worked with plenty of Dr’s offices and hospitals. Those are the places where you most definitely need a test environment before pushing something out.
1 Spice up