GPOs denied to Security Group
Posted by ngrybst@reddit | sysadmin | View on Reddit | 5 comments
I am creating a GPO to place an icon on the desktop of all users of a Security Group. The GPO is being pushed to the computers however it is being denied due to security filtering.
The policy is linked to the same OU as the user objects.
The Security Group is in a different OU.
The Security Group is the only object listed in Security Filtering.
Authenticated Users have read delegation rights.
When I force a gpupdate for my user, that is included in the Security Group, the GPO is listed in the Denied GPOs listing of the results with the reason being Access Denied (Security Filtering)
What am I missing?
Elayne_DyNess@reddit
Glad you found your answer, but I wanted to chime in, to potentially help others.
When you target a GPO via a group, there is a big warning that pops up, and it actually contains the solution.
Target the GPO to the groups you want, and then on the delegation tab, allow Authenticated Users (which includes the computer objects) read only access.
Remember, user settings target user accounts. Computer settings target computer accounts. There is a setting to (drawing a blank on it atm) to allow the GPO to be applied to a computer, and apply user settings to anyone who logs into that workstation, even though it doesnt sit above the user accounts.
Best of wishes!
Sajem@reddit
Loopback Processing :)
vannin519@reddit
When you are deploying GPO that has only user based settings and filtering on security group, the computer objects they are logging into also need to be configured to be able to read that policy itself to pick up the user settings
donatom3@reddit
This is why I usually don't deny read of most gpos at all and only deny application of the group. Of course if a gpo has something confidential in it is when you need to deny read on it.
ngrybst@reddit (OP)
Perfect. Thank you!