I have an OU with a mix of computers. I want to apply two different GPOs in that OU; each GPO will apply its own WSUS info.
GPO1: Monday 9am Install Patches & Reboot
GPO2: Monday 10pm Install Patches & Reboot
I created an AD group for each one (Group1 has all computers I want for GPO1, Group2 has all computers I want for GPO2).
The OU has both computer members in it.
My Policies are in the OU and has only the AD group in the Security Filtering. That policy won’t apply using gpupdate /force.
However, if I add ‘Authenticated Users’ to the Delegation and gpupdate /force, policies show up. The problem is that BOTH policies show up for each computer’s gpresult; I cannot control which GPO applies.
Thanks for any help
Scott
5 Spice ups
yovev
(KonstantinYovev)
2
Hello, if you don’t explicitly deny permissions for each of the computer’s groups for the other GPO, they are applied in sequence.
And Authenticated users includes all computer objects in the domain so you have to remove it.
Then for gpo1 filter that SG2 is denied to read it and vise versa for gpo2 and SG1(Security group).
This should do the job after next replication and gpupdate, based on your AD configuration.
Thanks for this advice, Konstantin. After doing this, and waiting about 20min for replication and gpupdate /force, I’m still not seeing the GPO applied to the machines. I know Authenticated Users isn’t the way to go but I am curious as to why the GPO applies when I put that into the Security Filtering.
In Delegation, I have Domains Admins (Edit, Delete, modify), Domain Computers (Read), Ent Admins (Edit, delete, modify), System (Edit, delete, modify), and the AD Group for this GPO (Read (from Security Filtering))
I will also say that the OU container that contains these sub-OUs Blocks Inheritance. I don’t know if that matters here for this.
Domain
OU - Country
OU - Office
OU - Servers (Blocks Inheritance)
OU - Servers1 (needs GPO1 and GPO2)
OU - Servers2 (needs GPO1 and GPO2 but I could probably get away with inheritance if I can get the level above it to work)
Your in the wrong tab, leave security filtering alone, for each GPO add the computer group into delegation for which you want to block access. You have to add them in with read permission but once added click the advanced button in bottom right and change read to deny all.
Effectively you have this:
Gpo1 - group 2 deny all
Gpo2 - group 1 deny all
If you are applying it to computers so this is GPO with computer configuration settings - this type of GPO will not apply automatically after a period of time or after gpupdate /force. You need to restart the computer (or at least to log off/log on, but I prefer the restart) in order to see it applied.
1 Spice up
davidr4
(davidr4)
7
It would be easier to make sub OUs for the time you want updates applied.
Servers
-
9 Am Updates
-
10 AM Updates
It makes life easier when quickly looking to see what policies applied.
davidr4
(davidr4)
8
It works because of this update that happened last year
1 Spice up
yovev
(KonstantinYovev)
9
Benjamin is right, leave the default settings in the Security filtering and make the deny settings in the Delegation.
Sorry for that!
Everything else still applies.
The computers are applying as I already described the GPOs because of the Domain Computers sec group.
If you use these GPOs only in this OU and you have no other computer objects in it (including in its child OUs) remove everything from the delegation and add the two sec groups with the respective deny settings as already described above.
Thanks David. So I gather that the only way to get a GPO using an AD Group in Security Filtering to apply is to restart because gpupdate won’t do it?
Thanks again
Scott
Thanks Benjamin, this worked when I had two GPOs in the same OU.
But to Plamen’s point, to get a GPO applied for an OU (one GPO in one OU but using an AD Group in Security Filtering for selected computers in this OU), a restart is necessary and not gpupdate?
justin1250
(Justin1250)
12
Computer group changes are applied on boot, just like user group changes are applied on login.
GPupdate will not update group memberships.
View it in this way - the GPO has to parts - Computer config. and User config.
When you are working with any settings in the Computer configuration part restart is needed for the GPO to be applied.
When you are working with any settings in the User configuration part in the most of the cases gpupdate /force works - for example, when you deploy new printer with GPO, if you run gpupdate /force on user`s PC, the new printer appears after a few seconds. There a some cases when you need to log off and log in again the user in order for the GPO to be applied - this is when you apply a logon script (for example).
icanfixit
(Chris Walten)
14
You need to give “Authenticated Users” read permission on delegation tab of the GPO.
I’m nervous about Authenticated Users (irony!) because I had a bad experience when I added them into the Security Filtering.
What you’re saying here is that if I have the AD Group in the Security Filtering (and the machines are in various OUs), and put Authenticated Users as Read permission in the Delegation, it should work.
Just want to be clear before I do this.
Thanks again for your help
Scott
icanfixit
(Chris Walten)
16
If you filter GPO with security group, you need to add Authenticated users on delegation tab. Also, if the computers are in different OUs, you need to link GPO to each of those OUs.
It’s interesting that in a few of my other domains, I can do what I’m trying to do this one without modifying the Delegation. The settings are the same in each domain’s version of the Delegation of this policy.
A difference between the working policy and the not-so-working policy is that the working policy is applied at the Domain level whereas the one I’m trying to get working is applied within an OU that has blocked inheritance.
Is that my sticking point?
justin1250
(Justin1250)
18
What objects are in your OU? That you are trying to apply this to?
And a note on the delegation tab. MS16-072 which is the update that changed how security filtering works only affects user policy. As user settings are now read by the computer account and not the user account, this is why you have to give authenticated users a read delegation.
It should not however affect security filtering by groups of computers.
1 Spice up
This is what I have for this GPO. I’ve substituted a machine name for the Group. I assume this is what you’re talking about. I’ll let propagation do its thing. is a reboot necessary (as others have suggested)? I’m kinda in a bind since this GPO is for patch rollout and I’d like the policy in place before it has to go get the patches.
Thanks again
Scott
Hi Justin, Items in the group are Computers only.
