1

I know there are many posts on this topic, but here is one more. I’m attempting to use Security Filtering on a GPO applied to a computer OU to restrict the GPO to users in a security group. I’ve removed authenticated users from Security Filtering and added the security group. I then added authenticated users in the Delegation pane with Read access.

When I log into a computer in the OU that has the GPO assigned with a user account in the security group, the GPO doesn’t get applied. GPRESULTS (as well as Group Policy Modeling) shows the GPO denied “Access Denied (Security Filtering”.

I suspect I’m missing something obvious or just misunderstanding how this should work.

5 Spice ups
2

In Group Policy Management, click advanced on the bottom left hand corner , the the dialog box, highlight the security group you want the GPO to be applied to and there should be a checkbox within permissions for SYSTEM that says Apply group policy

If you did this then I have no Idea

3

The Apply Group Policy permissions is checked for that group.

4

Well, you’re not missing anything obvious.

Is it possible that you made these changes without running a gpupdate on the test machine? May be worth running a gpupdate on the AD (I’m not convinced this does anything, but have been told other wise) and a reboot on your test machine.

Another consideration, does the user that you’re logging in as have any permission restrictions that would stop them from applying the GPO? Maybe ability to browse to the SYSVOL folder?

The fact that the GPO is showing at all in the GPResult is a good sign though.

5

I’ve run gpupdate and rebooted multiple times to no avail. I’m using my account which has no permission restrictions.

1 Spice up
6

Okay, cool.

Just for giggles. Presumably this computer is a member of domain computers right?
What happens if you add Domain Computers to have read access under the delegation tab?

7

You can’t “remove” authenticated users. You have to leave that builtin group so they can read the go. Just remove their ability to apply the gpo.

8

Domain Computers already has read access under the delegation tab

9

From what I’m reading everything seems set up right.

Item Level targeting didn’t get enabled by accident right?
Would you be comfortable sending some snips of the GPO windows?

10

Item level targeting is not enabled.

GPO-1.jpg
GPO-1.jpg1700×2200 165 KB
11

2nd GPO screenshot.

GPO-2.jpg
GPO-2.jpg1700×2200 127 KB
12

Computer GPO settings apply to Computer accounts. User GPO settings apply to User Accounts.
If the GPO is targeting Users, it needs to be linked to the appropriate OU that contains the users.

13

@briansteingraber ​ Authenticated users have Read permission in the Delegation tab. This is a Computer GPO assigned to a Computer OU. I thought you could restrict access to it being applied by specifying a security group in Security Filtering. Maybe I just misunderstood how that works but seem to have read posts that this is possible.

14

Yes, you can limit what GPO’s target what computers (within a OU) are affected using security Groups. I do this extensive with no issues.

That being said, in your OP you mention USERS in the security group which would NOT work (due to OU). If your GPO has computer settings in it and it targeting a security group, only computers in that security group will be affected, not users. Is your Computer GPO that’s targeting your security group setting COMPUTER or USER settings?

Example: I have multiple GPO’s that control how computers get updates. Those GPO’s are all targeting a single OU but use different Security Groups in the security filtering.

15

Sounds like I can’t do what I want to.

16

You can use GPO’s and limit them to only apply to specific users (based on Security Group Membership) just like you can with computers.

If you are attempting to apply settings to specific users on specific computers, your going to need to look into Item Level Targeting or Loopback Processing.

17

I do have loop back processing enabled. So here’s what I’m trying to do. Maybe you have some suggestions on how I might accomplish that. I have a Computer GPO that I have applied to a Computer OU. I want to somehow limit the users this GPO gets applied to when the log onto a computer in this OU.

18

Assuming “Computer GPO” means a GPO with Computer based settings in it, it depends on the Computer settings you are wanting to set/control.

Policy Settings will need to utilize Loobback processing.

Preferences can use Item Level Targeting with Security Group.

What settings are you attempting to set?

19

They are policy settings specifically related to OneDrive. I’m attempting to do a controlled rollout of OneDrive to a specific set of users.

20

Looks like all the OneDrive Group Policy settings are Computer or User Policies (Not preferences) so Item Level Targeting isn’t an option.

That being said, instead of using Loopback Processing, I would just create a Security Group of the computers you wan’t to target along with a Security Group of the affected users you wan’t to target. Create a GPO for the Computer based OneDrive settings targeting the Computer Security Group (and linked to your Computer’s OU) and another GPO for the User based OneDrive settings targeting the User Security Group (and linked to your Users OU).

Assuming you are referencing the following Microsoft Documentation: IT Admins - Use OneDrive policies to control sync settings - SharePoint in Microsoft 365 | Microsoft Learn ?

Looks like you have to copy the Group Policy Admin Templates over to your Central Store as well.

I didn’t check but some of the OneDrive GP settings may be duplicates (so you can apply them to Computers OR Users).