Announcement

Collapse
No announcement yet.

GPO Security filtering question

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO Security filtering question

    Hello,
    I worked on applying GPO to computer groups. GPO was configured for Computers.

    in Security Filtering I removed default - Authenticated Users and added 2 computer groups to which I wanted to apply GPO.

    When run GPRESULT on a client machine Computer Policy showed Denyed (Security).
    So, I decided to add Authenticated Users . And the problem was solved. Now it shows APPLIED in computer and not applied (empty) in user GPO.

    Why it happens? Logically, I want to apply GPO only to computer groups so why adding Authenticated Users solved the issue. What I did wrong (or right )?

    Thanks.
    Michael.
    "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

  • #2
    Re: GPO Security filtering question

    Make sure the Gpo is linked to the SOM where the computer objects reside.
    Last edited by L4ndy; 6th January 2012, 00:59.
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: GPO Security filtering question

      I tried the same GPO in test AD. The same result. See pics plz.

      In not applied pic it says: GPO were not applied because they were filtered out...
      how come that adding Authenticated Users group removes this weird filtering.
      Sure it's me that missing something

      Also, why in both cases gpresult not shows computer as part of WSUS group that it is member of?
      Attached Files
      "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

      Comment


      • #4
        Re: GPO Security filtering question

        GPResult does not show the group wsus_servers_restart in the list of groups the computer is a member of.
        This means the group is in fact not part of the computer object's tokenGroups. Recheck the members of the security group.

        /Rems
        Last edited by Rems; 7th January 2012, 20:16.

        This posting is provided "AS IS" with no warranties, and confers no rights.

        __________________

        ** Remember to give credit where credit's due **
        and leave Reputation Points for meaningful posts

        Comment


        • #5
          Re: GPO Security filtering question

          Rems,
          this is my question too in initial post... And after you are emphasizing that in gpresult the security group that computer is member of not listed, I have a feeling that this akward way to make the gpo actually applied "requires" to add Authenticated Users to Security Filtering, just showing that there is another problem. Because as I mentioned and you can see on pic from previous post, if Authenticated Users is not there the GPO just not applied.
          See plz pic. YES the machine is a member of Security Group - wsus_servers_restart.
          Attached Files
          Last edited by mla; 8th January 2012, 04:03. Reason: added
          "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

          Comment


          • #6
            Re: GPO Security filtering question

            When you add authenticated users to the security filtering it works because in effect you just give everyone on that group the Read and Apply Gpo permissions.
            As I mentioned can you double-check that when you add that computer group to the security filtering, the Gpo is linked to the OU where the computer objects that are members of the group are.
            Caesar's cipher - 3

            ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

            SFX JNRS FC U6 MNGR

            Comment


            • #7
              Re: GPO Security filtering question

              the GPO is not linked but inherited...

              see pic
              Attached Files
              Last edited by mla; 8th January 2012, 13:34. Reason: change
              "When you hit a wrong note it's the next note that makes it good or bad". Miles Davis

              Comment

              Working...
              X