1

Hi,

i’m trying to deploy a gpo to a OU with a security group in it. Since it’s a computer configuration policy i added some workstations in the security group, linked the GPO to the OU and set the group in Security Filtering.

Even if i force policy update it’s not applying, can anyone help me please?

Andrea

5 Spice ups
2

Are you forcing this from the server side or the user side?

Do a gpupdate /force from user side and restart the computer.

Does it show applied from the user side if you type gpresult /r in command prompt?

3

GPOs don’t get applied to security groups. It has to be applied to the OU containing the computers. You can use the security group to do filtering though.

4 Spice ups
4

The force parameter will not have an effect on which policies are applied.

“/force” is not a valid troubleshooting mechanism.

1 Spice up
5

@bh5970 it was from client side.

@david4r does it means i have to move the computers in the OU, link it with the policy and then filter target machines with a security group?

1 Spice up
6

Yes, or link to the OU that the computers are already in. If you can move those computers to a sub-OU, it may make your life easier. Then you don’t have to worry about filtering. Make sure you leave Domain Computers on the Delegation tab with read access though

7

To apply a GPO to certain workstations, those workstations need to be in the same OU in which the GPO you are assigning. Security filtering is meant to allow only specified users/groups/computers access to that GPO.

Ex:

OU:Marketing (workstations inside)

GPO: Mapped Drives (2 mapped drives. Security Filtering: default to “Authenticated Users” )

GPO: Admin Mapped Drive (1 mapped drive. Security Filtering: specify the “Manager Group” )

A normal user logging into any of the marketing workstation will grab the Mapped Drives GPO, but NOT get the Admin Mapped Drive. While a marketing manager (that is in the Manager Group) logging into a marketing workstation will get both Mapped Drives and Admin Mapped Drive GPOs.

Start with placing the computers in a OU and applying the GPO to that OU keeping the Default Security Filtering to “Authenticated Users”. You can test to the client workstations by using the “gpupdate /force” which will go and fetch the latest GPOs instead of waiting around for the workstation to eventually grab that GPO. That command is used to speed things up during testing, not to enable GPOs.

As BH5970 said, using the “gpupdate /force” then followed by a “gpresult /r” will tell you if your GPO has been applied to that client workstation which is a valid troubleshooting method when testing if the GPO has been applied or not. Personally I like using the “Group Policy Results” on the GPO server for testing this.

8

The security group used for filtering does not have to be in the same OU as the computer.

The GPO must link to the OU with the computers you are working with.

You have to remove Authenticated Users on Scope tab in the Security Filtering section. Just your security group should be viewable in the Security Filtering section.

Then, go to the Delegation tab and add Authenticated Users back with READ permissions.

I am assuming you are using a Global Security group.

I had to set this type of GPO up for our imaging so that the correct image gets put on the machine since we have a mix of Win7 and Win10 right now.

9

ok, now i understand…

i was trying to apply a policy to target machines WITHOUT moving them from the default OU (computers), it would be hard to maintain. so i need to link the policy to the domain and add the target security group in Security Filtering.

10

Don’t do that either. You should not be leaving your computers or users in the default containers. Make OUs and structure your AD properly. The default Users and Computers are not OUs. They are containers and can not have GPOs directly applied to them. Make an OU with your company name, then make sub OUs for users and computers and organize it from there.

11

ok, i’m going to do few test right now.

thank’s!