<\/use><\/svg><\/div><\/a><\/div><\/p>","upvoteCount":0,"datePublished":"2019-07-02T17:26:49.000Z","url":"https://community.spiceworks.com/t/gpo-access-denied-security-filtering/719173/5","author":{"@type":"Person","name":"justin1250","url":"https://community.spiceworks.com/u/justin1250"}},"suggestedAnswer":[{"@type":"Answer","text":"Hey all,<\/p>\n
I know this is a common issue, but none of the other answers I found have worked.<\/p>\n
I have two GPOs that I need filtered to specific groups, but they always get denied due to security filtering error. I already added the Authenticated Users (Read) back in for Delegation and I even added Domain Computers (Read) to the Delegation as well and still get security filtering denied.<\/p>\n
The only time the GPOs apply is if the security filtering has either Authenticated Users or Domain Computers listed in it, but of course then it applies to everyone and everything in the OU. I’m at a loss as to what I can do to resolve this.<\/p>\n
Thanks,<\/p>\n
Windows 2012 R2 Domain Level, Window 10 Pro 1803-1809 workstations.<\/p>","upvoteCount":5,"datePublished":"2019-07-02T15:36:08.000Z","url":"https://community.spiceworks.com/t/gpo-access-denied-security-filtering/719173/1","author":{"@type":"Person","name":"davidtechuserr9424","url":"https://community.spiceworks.com/u/davidtechuserr9424"}},{"@type":"Answer","text":"
When you run GPResult /r for that user do they show up in the Group you are using to filter the GPO?<\/p>\n
If you just made these groups you will have to re-log the user to get new group membership.<\/p>\n
A read delegation for Authenticated Users should be fine on the delegation tab. Are you using any deny delegations?<\/p>","upvoteCount":0,"datePublished":"2019-07-02T15:39:09.000Z","url":"https://community.spiceworks.com/t/gpo-access-denied-security-filtering/719173/2","author":{"@type":"Person","name":"justin1250","url":"https://community.spiceworks.com/u/justin1250"}},{"@type":"Answer","text":"
Are your groups machine groups or user groups? Machine GPO or User GPO? If machine security group then you have to add computers to that security group. If it is a user security group then you would add users to the security group. Authenticated users includes computers so remove domain computers from your delegation tab. The only thing you want in the Security filtering is the group, or groups. Keep in mind that the object you are applying the GPO to is a group so you can link the GPO to the parent OU and it will inherit down. You must apply user GPO to users and computer GPO to computers. Make sure you aren’t targeting users with machine GPO and vice versa.<\/p>","upvoteCount":1,"datePublished":"2019-07-02T15:49:48.000Z","url":"https://community.spiceworks.com/t/gpo-access-denied-security-filtering/719173/3","author":{"@type":"Person","name":"johndod","url":"https://community.spiceworks.com/u/johndod"}},{"@type":"Answer","text":"
Thank you, I think the issue is that it’s a computer GPO that I am trying to filter through user groups. The GPO is applied to the computer OU, but I am trying to filter it to a user group. Do you know how I could apply the Removable Storage Access GPOs to just certain users on all computers?<\/p>\n
Thanks,<\/p>","upvoteCount":0,"datePublished":"2019-07-02T17:00:51.000Z","url":"https://community.spiceworks.com/t/gpo-access-denied-security-filtering/719173/4","author":{"@type":"Person","name":"davidtechuserr9424","url":"https://community.spiceworks.com/u/davidtechuserr9424"}},{"@type":"Answer","text":"
Thanks, I didn’t even think to look under the User Config for that…<\/p>","upvoteCount":0,"datePublished":"2019-07-02T17:57:39.000Z","url":"https://community.spiceworks.com/t/gpo-access-denied-security-filtering/719173/6","author":{"@type":"Person","name":"davidtechuserr9424","url":"https://community.spiceworks.com/u/davidtechuserr9424"}}]}}
Hey all,
I know this is a common issue, but none of the other answers I found have worked.
I have two GPOs that I need filtered to specific groups, but they always get denied due to security filtering error. I already added the Authenticated Users (Read) back in for Delegation and I even added Domain Computers (Read) to the Delegation as well and still get security filtering denied.
The only time the GPOs apply is if the security filtering has either Authenticated Users or Domain Computers listed in it, but of course then it applies to everyone and everything in the OU. I’m at a loss as to what I can do to resolve this.
Thanks,
Windows 2012 R2 Domain Level, Window 10 Pro 1803-1809 workstations.
5 Spice ups
When you run GPResult /r for that user do they show up in the Group you are using to filter the GPO?
If you just made these groups you will have to re-log the user to get new group membership.
A read delegation for Authenticated Users should be fine on the delegation tab. Are you using any deny delegations?
johndod
July 2, 2019, 3:49pm
3
Are your groups machine groups or user groups? Machine GPO or User GPO? If machine security group then you have to add computers to that security group. If it is a user security group then you would add users to the security group. Authenticated users includes computers so remove domain computers from your delegation tab. The only thing you want in the Security filtering is the group, or groups. Keep in mind that the object you are applying the GPO to is a group so you can link the GPO to the parent OU and it will inherit down. You must apply user GPO to users and computer GPO to computers. Make sure you aren’t targeting users with machine GPO and vice versa.
1 Spice up
Thank you, I think the issue is that it’s a computer GPO that I am trying to filter through user groups. The GPO is applied to the computer OU, but I am trying to filter it to a user group. Do you know how I could apply the Removable Storage Access GPOs to just certain users on all computers?
Thanks,
TriSept:
Thank you, I think the issue is that it’s a computer GPO that I am trying to filter through user groups. The GPO is applied to the computer OU, but I am trying to filter it to a user group. Do you know how I could apply the Removable Storage Access GPOs to just certain users on all computers?
Thanks,
You typically can’t filter computer policies on a per-user basis. Computer settings are global as in there is only 1, either on or off it applies to the machine and all users who use it.
Why not just make a User GPO and apply the Deny USB to the group of users you want?
Thanks, I didn’t even think to look under the User Config for that…
