This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(272, 35%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDK%3C/text%3E%3C/svg%3E)
I'm in an enterprise AD (univ) environment where I control our main OU and sub-OUs, where I apply GPOs. I have a standard WSUS GPOs to push auto installs and restarts at night, and then a "no auto restart WSUS GPO I want to apply to one PC in a particular sub OU.
I have a standard WSUS GPO that I apply to all sub GPOs that has "4-Auto download and schedule install" -> for "4-Every Wed" at 22:00, and "Every week" enabled. Also the "allow auto update immediate install" is enabled (description states its for certain updates that neither interrupt windows services nor restart windows), and "No auto-restart with logged on users" disabled. I apply this to all sub OUs (different groups of PCs).
For the one PC, in a particular sub OU, that I don't want to "auto install\restart" with updates, I created another GPO with "allow auto updates immediate install" disabled and "3-Auto download and notify for install" with "No auto-restart with logged on users" enabled and the Scope set via Security Filtering to the particular PCs Name and the Username who will be logged in overnight (is using both PC name and user incorrect?).
I have this latter "no auto restart" GPO as #3 link order and the former "standard WSUS GPO" as #4 link order for the other PCs in this sub OU.
As I understand it, GPOs with a smaller precedence number are processed last and take precedence over GPOs with higher numbers, so the no auto restart GPO should take precedence, correct?
The problem is that the PC in question still keeps auto installing and restarting updates, and it is on Wed mornings at approx 6:30. I don't understand why the precedence is of the two GPOs is not applying, and even so why the seemingly applied standard WSUS GPO installs on Wed morning when it is set as "4-Auto download and schedule install" -> for "4-Every Wed" at 22:00.
B is partly correct - but the Authenticated Users must be done in the Delegation tab and only given the READ permission.
Remove Authenticated Users from the filter scope, add instead a GROUP or COMPUTER or USER
If applying a COMPUTER based policy, add AUTHENTICATED USERS or DOMAIN COMPUTERS in the delegation tab with READ permissions only (but if you only add Domain Computers, Admins will still have trouble seeing the GPO, but when doing a GPResult /h gpo.htm - the computer WILL be able to see it's name.)
Domain Computers is a subset of Authenticated Users.
Great. Thanks for the Help!
Use GPResult to figure out what's going on - it will not only tell you what the end result policy is, but also it will tell you which GPO 'wins'
From an Administrative Command Prompt on an affected client, run the following:
gpresult /h gpo.htm
You can also use gpmc.msc to see - click on an OU, click Group Policy Inheritance tab. The closer the GPO is to #1, the more it will take precedence over others behind it.
Tnx for the response. So you have confirmed my understanding that the precedence of the link order is set correctly.
Still though the PC in question is auto updating and restarting. Is it how I applied the Scope of the "no auto-restart" GPO (to the PC name AND the username)? Or does something in the GPO configuration settings I listed look off?
Tnx
Are you suffering from the missing Authenticated Users in the delegation tab of your new GPO? You've removed Authenticated Users from the scope tab (that's fine) but then you have to add the Authenticated users group to your Delegation tab with READ permissions....
It has to do with a Windows Update released in June 2016 - MS16-072 - https://support.microsoft.com/en-us/kb/3163622
Taken from Emin's blog - https://p0w3rsh3ll.wordpress.com/2016/06/16/fix-gpo-permissions-before-applying-ms16-072/
To quickly display GPO names that don't have the Authenticated Users group, you can do:
Powershell
Get-GPO -All | ForEach-Object {
# Test if Authenticated Users group have at least read permission on the GPO
if ('S-1-5-11' -notin ($_ | Get-GPPermission -All).Trustee.Sid.Value) {
$_
}
} | Select DisplayName
To add back the Authenticated Users group with Read Permissions on the Group Policy Object (GPO), you can do:
Powershell
Get-GPO -All | ForEach-Object {
if ('S-1-5-11' -notin ($_ | Get-GPPermission -All).Trustee.Sid.Value) {
$_ | Set-GPPermission -PermissionLevel GpoRead -TargetName 'Authenticated Users' -TargetType Group -Verbose
}
}
Now, every GPO has a permission set for the 'Authenticated Users' group and to check what permission is set for this group, you can do:
Get-GPO -All | ForEach-Object {
[PsCustomObject]@{
DisplayName = $_.DisplayName
Permission = ($_ | Get-GPPermission -TargetName 'Authenticated Users' -TargetType Group).Permission
}
} | Out-GridView -Title 'Authenticated Users permissions'
Tnx for the info. In fact, I started to compare GPOs and the one in question, I had deleted the authenticated users w/ read rights as I thought adding just the individual user account and their PC name would be enough. I have now added it back to the GPO in the Filter section (not w/ Powershell), I'd assume both methods to add it work. I'll have to test it out to make sure that is it.
Tnx!
Btw, adding the Authenticated Users back would include all domain users. To filter on the GPO in question to only affect the one particular PC, i have also added the PC name. Should that suffice or is the a good reason that I should I also add the username of the person who maybe logged into this PC as well? Or will this possibly cause unintended consequences? Actually, not sure if Filtering on the PC and and on a username make sense at all in any situation but I don't have experience with this.
Tnx.
having READ permission only allows a user to run
gpresult /h gpo.htm
and SEE the name of the GPO that failed to apply. It doesn't apply it during processing, however it allows the visibility for troubleshooting.
I suggest Authenticated Users, but you can also do just Domain Computers (but you may lose the visibility)
I appreciate your input and help!
I keep reading info about the changes after MS16-072 in regard to filtering and adding required Authenticated Users and Domain Computers (that have "Read from Security Filtering permissions") , but I am unfortunately still confused.
Again, I'd like to use filtering to apply the no auto-restart GPO to one PC.
Must I
a. add the PC name to the filter section AND also add Domain Computers
b. add the PC name to the filter section AND also Authenticated Users
c. add the PC name to the filter section AND both Authenticated Users and Domain Computers
Which choice is the best and most concise and why?
Tnx!
Watch the first video by Dan Holme, starting at time 15:52
https://www.ajtek.ca/guides/role-based-access-security/
I recommend watching the entire video along with the other videos on that page by Dan Holme.
I've watched your video and where you speak of filtering GPOs using groups and also WMI filters. This is not what I am interested in. I did not hear anything else in that video that answers my previous question.
I understand there maybe many ways to change this OU, sub-OU configuration, etc., but I am only interested in working with this configuration. I don't want to reinvent the wheel.
Given the changes after MS16-072 in regard to filtering and adding required Authenticated Users and Domain Computers (that have "Read from Security Filtering permissions") ,
Must I
a. add the PC name to the filter section AND also add Domain Computers
b. add the PC name to the filter section AND also Authenticated Users
c. add the PC name to the filter section AND both Authenticated Users and Domain Computers
d. option a, b, c won't work and explanation of why and what might work within this specific scenario
Tnx.