Share via

How is working security filtering in the GPO

Frédéric Giguère 46 Reputation points
2020-09-24T18:43:32.773+00:00

Hello everyone,

I am trying to solve an issue and need your help.

I have created a GPO that I want to link to a specific group called local_admin.

So in the security filtering section, I put that group local_admin.

After that I log in wiht one user that is in that group.

A gpresult shows me that this user is indeed in the local_admin group but I can see that the GPO is not even there.

gpupdate /force did not changed anything.

In the location, I put the OU where my test user is located (and is in the local_admin group).

So why is that GPO not applied at all?

Thank you for your help

Windows for business | Windows Client for IT Pros | User experience | Other
0 comments
Accepted answer
  1. Anonymous
    2020-10-02T01:03:18.43+00:00

    Hi,
    Based on my understanding , you want to delegate the management to the users ,right?
    You can use organizational units (OUs) to delegate the administration of objects, such as users or computers, within the OU to a designated individual or group.
    Right-click the OU (containing users you want to be managed), and then click Delegate Control.
    In the Delegation of Control Wizard, click Next.
    Click Add to add a user or group to the Selected users and groups list, and then click Next. We strongly recommend using a group, even if that group only contains one user.
    And give the group the right you want to assign.

    Best Regards,

    0 comments

7 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Frédéric Giguère 46 Reputation points
    2020-09-25T14:22:46.61+00:00

    That is weird. After doing what's been asked for, It still does not work.

    What is needed:
    Specific AD users can have local admin rights.

    How to do that?
    Creating a GPO that is linked only to a security group called local_administrator

    Steps:

    • Created test user.
    • Test user added in local_administraor groupé
    • Test user is in Management OU (see location in image above)
    • I have added domain users and domain computer in the delegation with read and apply Group policy rigths.

    Result of the test:

    • I login with test user. -- The Gpo is not there
    • gpupdate /force
    • the gpresult /r says that the the test user is in the local administrator group but the local_administor GPO never appears. In fact it never appeared once so far.

    What is wrong in what I've done?
    Thanks

    1 person found this answer helpful.
  2. Fabian 261 Reputation points
    2020-09-24T21:32:29.25+00:00

    If you removed the "authenticated users" group from gpo security filter you must add the "authenticated users" or "domain computers" group with at least read but without apply permission on the GPO delegation tab.

    GPO processing runs as system account. The authenticated users group contains the computer object so the system account can read the GPO. If you removed the "authenticated users" the system account can no longer read the GPO and the user settings can't be applied.

    0 comments
  3. Anonymous
    2020-09-25T03:07:56.937+00:00

    Hi,
    Thanks for posting here!
    In your situation, it is a user policy .When you remove the authenticated users from the security filter you need to add 2 parts into the delegation tab:

    User groups which containing users who will apply the policy and make sure that the users are within the OU. Make sure that the user group should have at least read and apply policy permission.
    Computer groups which the users will logon to. And the computer should at least have read permission.

    Or you can just leave the authenticated users in the security filter and give read and apply policy permission.
    28271-9255.jpg

    Best Regards,

    0 comments
  4. Frédéric Giguère 46 Reputation points
    2020-09-25T13:33:51.707+00:00

    OK thanks guys!

    I have given the rights in delegation as advised but they now appears directly in the scope/security filtering tab. I am a little worried by that since does it means that everybody that is in the OU will have this GPO applied since they all are authenticated users?

    I would like just users that are in the local_admin group that have this applied.
    28451-image.png

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.