Security Filtering Issue

shadow75795007 · 2019-06-19T16:30:11.000Z

I have a GPO where Authenticated users are set to read and not apply

When I add a user to the scope, the gpo applies to that user no issue

When I add a security group with that user in it to the gpo, it doesn’t apply at all.

Checked permissions, there is no deny

DragonsRule · 2019-06-19T17:19:18.000Z

GPOs apply to OUs, not groups or users.

How are you trying to apply this to a security group?

FrenchToast · 2019-06-19T17:21:25.000Z

With everything that you have set. Log in as the user. Launch cmd and type gpresult /r. See if you group policy object is even being applied.

In regards to DragonsRules reply hes correct. Are you using item level targeting to target your security group?

Internet_Schneider · 2019-06-19T19:11:18.000Z

What is that GPO that you are trying to apply it to users?

icanfixit-v2 · 2019-06-21T03:11:55.000Z

Please post the screenshot, something you are doing is not tight, that’s my gut feeling.

shadow75795007 · 2019-06-21T13:06:49.000Z

Whenever I apply security filtering to an individual:

Whenever I apply security filtering to a group that the user is in:

FrenchToast · 2019-06-21T13:21:58.000Z

Trying linking the GPO to your domain like test.local for example.

Then just add the group to the security filtering

Then run a gpupdate /force followed by a gpresult /r and see if its still being denied.

DragonsRule · 2019-06-21T13:24:52.000Z

You may want to have a look at this, about security filtering with GPOs. Make sure you have the correct setting in the Delegation tab.

Beware - Known Issues with update kb3159398 Windows

Has anyone had issues with this? It’s a GPO security update: But there are reports of it breaking GPOs. EDIT: MS has said this is BY DESIGN and thus will not be fixed. This link explains why this is happening and how to fix your GPOs so you can apply this update without issue. Don’t want to read the whole MS article? See this post, later in this thread: https://community.spiceworks.com/topic/post/5917169 EDIT 2: I strongly urge everyone to NOT decline this update. Don’t approve it, …

shadow75795007 · 2019-06-21T13:30:28.000Z

It is linked to the domain.

shadow75795007 · 2019-06-21T13:31:39.000Z

Authenticated users has read access, but not apply.

It applies with no issues when applying security filtering to an individual, but get denied when applied to a group that the individual is in.

Domain Computers also has read access

DragonsRule · 2019-06-21T13:34:29.000Z

Shadow7579:

Authenticated users has read access, but not apply.

Domain Computers also has read access

Hmmm… okay, that should work then. Something else is filtering it out, not this particular setting.

shadow75795007 · 2019-06-21T13:38:02.000Z

The security group I’m attempting to apply it to is brand new, created just for this purpose, I’ve tried other security groups as well with the same results. The only time it applies, is when I use security filtering per user, doesn’t work on groups.

I have a previously created gpo that is applying to security groups with security filtering with no issues, and as far as I can tell, there is no difference between the two.