Group Policy not applying for a Security Group but applies explicitly to a computer

Ochen Ao 1 Reputation point
2021-09-16T16:28:46.877+00:00

Hi,

I am having a weird issue on my AD environment. I created a GPO (Computer settings) and in Security Filtering i removed Authenticated Users and added a Global Security Group that has a computer nested as a member. The GPO doesn't apply if it is set that way but if i explicitly add the computer account nested in the group, the gpo applies. On delegation, Authenticated Users have only Read permissions, the Group has Read and Apply permissions. There are no other Deny or permission related issues, pretty much straight-forward. The GPO is linked to the OU where the Computer account is, evident by the fact that it applies when the account is added explicitly on Security Filtering.

gpupdate /R /SCOPE COMPUTER shows the GPO as Denied (Security Filtering) for the non-working scenario.

Appreciate some insights on this if anyone has encountered this before? Thanks

Regards,

Ochen

Windows Group Policy
Windows Group Policy
A feature of Windows that enables policy-based administration using Active Directory.
2,130 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
4,307 questions
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sarat Chandra 561 Reputation points
    2021-09-16T16:55:34.013+00:00

    Hi @Ochen Ao ,

    Can you please create a Test OU under your Domain OU, Please Link your computer-based GPO to that test OU and move your machine under Test OU and please verify the GPO with (rsop. msc) from your machine and see if the GPO is working,(This is for testing only)

    Go back to your previous and follow below.

    if it works please don't remove the Authentication users from the security filter, you make everyone a read-only please refer below. you can add your security based Group to the security filter

    https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo

    if my suggestion helps, please mark this blog as an acceptable answer. please let me know if you have any questions.

    Thanks & Regards,
    Sarat

    0 comments
  2. cthivierge 3,981 Reputation points
    2021-09-16T17:05:48.343+00:00

    You may already did that but, does the computer has rebooted since it has been added to the Global security group ?

  3. Ochen Ao 1 Reputation point
    2021-09-16T17:10:04.22+00:00

    Hi, that's my current setup now. A test OU with a single computer, works with Authenticated Users (the default, already tried that). The problem is when i configure security filtering. it works when i add the computer account. The thing here in focus is the Security group.
    So, all in all, we have this:

    Authenticated Users - Working
    Security Group - Not Working
    Explicit Computer Account - Working.

    Question: Does the Security Group also need to be under the Scope of Management of the GPO?
    My answer, at the moment, is a No but I will defer that to the experts.

  4. cthivierge 3,981 Reputation points
    2021-09-16T17:49:01.867+00:00

    In the GPO, under delegation tab... validate that the global security group has Allow "Apply Group Policy"... Look the the Advanced Tab

    132789-gpo10.png

    132833-gpo11.png

    0 comments
  5. Limitless Technology 37,746 Reputation points
    2021-09-17T09:46:02.797+00:00

    Hello Ochen,

    Do Follow up on the thread discussed in the below link, that will definitely help you out with the issue further.

    https://learn.microsoft.com/en-us/answers/questions/120736/gpos-not-applied-ad-group-issue.html

    Hope this answers all your queries, if not please do repost back.
    If an Answer is helpful, please click "Accept Answer" and upvote it : )

    Regards,

    0 comments