New GPO not applying to my computer

SomewhereinSC · 2023-02-16T11:22:22.000Z

If the OU only contains your computer there’s not a reason to mess with the Authenticated users, it will only apply to your computer.

OasisFan · 2023-02-16T12:49:48.000Z

The OU contains all computers (it is an existing OU used for other things as well).

It’s just the Security Filtering section that only contains my computer.

dedbunny · 2023-02-16T12:58:20.000Z

Have you tired running gpupdate/force? try that after you apply it to the OU

SomewhereinSC · 2023-02-16T13:00:55.000Z

I perform my testing like so, my normal user computers are in an OU call Office Computers, I create another OU under Office Computers called Test and move my test PC into that OU. I then apply my GPO’s that I’m trying to test to that Test OU. This separation not only allows me to get the normal and working GPO’s from my Office Computers OU, but also let’s me test my work in progress GPO’s.

jessepadilla · 2023-02-16T13:06:23.000Z

click on that delegation tab, find your computer and click apply policy.

blackwingrev · 2023-02-16T13:29:33.000Z

Try gpupdate /force. It takes a while for GPOs to kick in. If that doesn’t work, I suspect it’s where the GPO has been linked. Be careful linking it to the top domain though. I’d recommend having it stay in “Group Policy Objects” for now

OasisFan · 2023-02-16T13:30:47.000Z

configur3d:

click on that delegation tab, find your computer and click apply policy.

I did check there an my computer does have the Apply Policy setting ticked.

OasisFan · 2023-02-16T13:31:33.000Z

DedBunny:

Have you tired running gpupdate/force? try that after you apply it to the OU

Yes have tried that a couple of times. It’s been a few hours now. Also tried restarting the computer a couple of times as well.

delta-sierra-426 · 2023-02-16T13:34:42.000Z

You are seeing expected results when running nltest /sc_query: from your client PC?

nltest /sc_query:<your domain.TLD>

Domain controllers look healthy after reviewing dcdiag /c /v ?

dcdiag /c /v

OasisFan · 2023-02-16T13:51:22.000Z

delta-sierra_426:

You are seeing expected results when running nltest /sc_query: from your client PC?
nltest /sc_query:<your domain.TLD>
Domain controllers look healthy after reviewing dcdiag /c /v ?
dcdiag /c /v

Yes they all give expected results.

anorexicllama · 2023-02-16T14:13:37.000Z

If you run a gpresult - Do you see the new policy being applied?

OasisFan · 2023-02-16T14:45:10.000Z

AnorexicLlama:

If you run a gpresult - Do you see the new policy being applied?

Nope. I’ve tried the usual GPRESULT /R /SCOPE COMPUTER as well.

It doesn’t show under Applied Group Policy objects (our other GPOs do) nor does it show under The following GPOs were not applied because they were filtered out.

It’s as if I’ve not created the GPO.

This will almost definitely be something silly or a step I’ve missed.

gambler490 · 2023-02-16T15:03:17.000Z

I think there’s one step you missed.

Go to Delegation, and add “Authenticated Users” and give it Read permission.

You have to do that whenever you remove it from Security Filtering.

molan · 2023-02-16T15:15:55.000Z

When you remove the authenticated users to specify only specific groups\devices\users there are some extra steps that must be taken before the GPO will apply.

You will need to grant domain computers with READ access on the delegation tab before it will work.

See this Thread for further details

GPO - Filtering: Not Applied (Unknown Reason) Windows

I’ve been working on a particular GPO that doesn’t want to apply itself for a particular user. Running Group Policy Management on Windows Server 2008 R2 Client is running Windows 7 Pro 64 bit (However this issue happened on multiple computers in the domain) This is an example of my results after running gpresult /R [Capture.PNG] After searching many posts on Spiceworks all answer pointed to incorrectly assigning your security groups or not understanding the difference between a user object …

Since Microsoft added MS16-072: Security update for Group Policy: update to Servers :

“MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer’s security context. This issue is applicable for the following KB articles”

For every GPO with user or group security filtering you must add to the “Delegation” tab “Authenticated users” group with permissions “READ”. Security filtering can stay the same.
For every GPO with Computer security filtering you must add to the “Delegation” tab “Domain Computers” group with permissions “READ”. Security filtering can stay the same.

This assumes this is a computer targeted Policy. If it also targets user settings don’t forget to target your account and also add Domain Users with Read rights in the delegation

bob2213 · 2023-02-16T15:27:25.000Z

What is the settings of the gpo? You filtered the policy to your computer so only Computer Configuration settings will apply, none of the User Configuration settings will. Also check the GPO Status on the details tab - if it is set to ‘Computer configuration settings disabled’ then the gpo will not apply at all.

jamespeterson5 · 2023-02-16T16:50:14.000Z

Not only does the computer need read permissions for the GPO it also needs “apply group policy” permissions or the policy will not apply.

kevinweller · 2023-02-16T20:14:11.000Z

Lots of good information here. Not sure if it has been mentioned but if I remember correctly you won’t see GPO info for computers using RSOP or gpresult w/o admin privileges.

OasisFan · 2023-02-17T07:39:08.000Z

Gambler490:

I think there’s one step you missed.

Go to Delegation, and add “Authenticated Users” and give it Read permission.

You have to do that whenever you remove it from Security Filtering.

Still no results after doing that. GPRESULT /R /SCOPE COMPUTER only shows the existing computer GPO’s.

I’ll go through the additional responses above and report back.

OasisFan · 2023-02-17T08:46:57.000Z

molan:

When you remove the authenticated users to specify only specific groups\devices\users there are some extra steps that must be taken before the GPO will apply.

You will need to grant domain computers with READ access on the delegation tab before it will work.

See this Thread for further details

GPO - Filtering: Not Applied (Unknown Reason)

Since Microsoft added MS16-072: Security update for Group Policy: update to Servers :

“MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer’s security context. This issue is applicable for the following KB articles”

For every GPO with user or group security filtering you must add to the “Delegation” tab “Authenticated users” group with permissions “READ”. Security filtering can stay the same.
For every GPO with Computer security filtering you must add to the “Delegation” tab “Domain Computers” group with permissions “READ”. Security filtering can stay the same.

This assumes this is a computer targeted Policy. If it also targets user settings don’t forget to target your account and also add Domain Users with Read rights in the delegation

Still no change unfortunately after trying this.

OasisFan · 2023-02-17T09:34:14.000Z

@mattolan ’s suggestion above seems to have done the trick. Think I had to leave it a while to take effect even after running gpupdate and signing out and back in.

Both GPRESULT /R / SCOPE COMPUTER and RSOP.MSC (run as admin) now both show the GPO settings being applied.

Thanks very much to all.

For future reference for anyone (including myself) that comes across this, here are a few points:

Create and apply the GPO to an OU that contains the computer(s) you want to apply the GPO to.
Add the computer(s) that you want to apply the GPO to under Security Filtering.
On the Delegation tab, add Authenticated Users with Read permissions (and not the Apply Group Policy permission)
On the Delegation tab, add the Domain Computers group with Read permissions (and not the Apply Group Policy permission)
On the Delegation tab, add the computer(s) you want to apply the GPO to and ensure they have the Read and Group Policy permissions enabled
Make the changes to the GPO as required
On the computers, from an elevated command prompt run GPUPDATE /FORCE, followed by GPRESULT /R /SCOPE COMPUTER to verify the GPO is now being applied.
You can also use RSOP.MSC (run as admin) to view the actual settings being applied by the GPO. This handily also shows you the name of the GPO next to each setting.