Group Policy and Security Groups

aaronsummers · 2015-07-21T19:35:15.000Z

I’m having issues getting a Security Group to apply a GPO. Adding the Security Group to the delegation tab of the GPO works fine. I run a gpupdate /force on a user in the Security Group then run a gpresult -r and it says the GPO is denied due to security. When adding the users individually to the GPO delegation tab the policy works fine. I cannot find why the GPO is denying the Security Group but not individual users. Any help would be much apprenticed.

semicolon · 2015-07-21T19:49:35.000Z

You’ll need to provide some screenshots, I believe.

You cannot apply GPOs to Security Groups (or any groups, really). GPOs only get applied to accounts (users and computers) and they are linked to the Domain, OU, or the Site.

I’m wondering why you’re using the delegation tab for this?

How is the Security Filtering configured on this GPO?

Rob-Dunn · 2015-07-21T21:23:51.000Z

Does the GPO reside at or above where the user sits with regards to OU/user object placement?

If you’ve configured security filtering with groups, the user must fall into the management scope (i.e. somewhere beneath the OU where the GPO is linked) in order for it to work.

Like Semicolon said, GPOs apply to users and computers, but they can be filtered by groups.

bahnjee · 2015-07-22T13:23:04.000Z

As Semicolon and Rob have pointed out (but with screenshot goodness) you want to be using Security Filtering instead of delegation.

SecFIltering.jpg493×611 150 KB

Rob-Dunn · 2015-07-22T13:41:02.000Z

To clarify - security filtering is a magic window to the delegation tab. Basically the filtering shows who can or cannot apply the GPO, while the delegation tab will show additional permissions; ‘deny group policy’ and ‘apply group policy’ are part of those permissions, which is essentially what the scope tab will show.