No announcement yet.

Security Filtering on GPO

  • Filter
  • Time
  • Show
Clear All
new posts

  • Security Filtering on GPO

    For years I have applied GPO's effectivly to OU's with user objects/ computer objects.
    I have been recently tasked to apply GPO's to security groups (Group Policy filtering)
    I am not having luck with Security groups picking up GP

    Steps taken
    1. create Security Group (Global)
    2. Add members to security group
    3. Create OU
    4. Create GPO
    5. Assign GPO to OU
    6. Move Security Group into OU
    7. In Delegation Tab>Advanced > de-select "Apply Group Policy" to Authenticated Users (leave read permission
    8. Add security Group in Delegation >Advanced >Apply Group Policy and read permissions.
    9. Verify Security Group is in Scope

    GPupdate /force on both server and client
    No errors on client applying GP
    Log off /Log on / reboot
    The settings specified in GP do not propagate to client
    No errors in event logs

    If I add individual users to the OU-- the policy applies fine

    The question is -- why will the policy apply fine to users but not security groups?
    even though I have folloed steps outlined in
    and other similar sites... I must be missing a critical piece.

    Thanks in advance.

  • #2
    Re: Security Filtering on GPO

    That's not how GPO filtering works. GPO's don't process against security groups, they process against users and computers. Security Filtering allows you to "scope" the GPO so that it applies only to users who are members of the security group in your filter. You need to link the GPO to the OU where the user objects are and then the security filter applies the GPO to only members of that security group.


    • #3
      Re: Security Filtering on GPO

      So to clarify

      Create an OU that contains 10 users but only 2 belong to a security group

      Apply a policy to the OU with delegation set to only the security group, not authenticated users.

      The Policy should only propagate to the 2 users, leaving the other eight alone

      The user objects have to be in the OU where the policy is applied, but the location of the security group does not mater?


      • #4
        Re: Security Filtering on GPO

        Yes, exactly right.


        • #5
          Re: Security Filtering on GPO

          Thanks Joe!


          • #6
            Re: Security Filtering on GPO

            Glad to help.