GPO only works on authenticated users

3

1

I am trying to apply a group policy to select users. All of the select users are in a security group. The group policy includes user settings

I am applying the policy to an OU that includes the user i'm testing with (I've also tried on an OU where the computer is). After it is applied, I run gpresult /r and see that its not applied and it says:

Filtering: Not applied (Unknown Reason).

Digging deeper if I run gpresult /scope user /h rsop.html, it says that it's "inaccessible"

Strangely, if I remove my security group from the security filtering and add Authenticated Users, it works fine.

I've re-created the policy and the security group and still the same result.

Does anyone have any suggestions? I know I'm missing something. Are there additional permissions that need to be applied to the security group in AD?

Thanks!

Vinny

Posted 2016-07-29T17:16:41.720

Reputation: 215

Answers

5

There was a change in GPOs recently (security issue that was corrected in Windows Update KB3163622) that I'm pretty sure is what you're running into.

After the new security change, if Authenticated Users is not in the Delegation tab, the GPO won't work (period).

When you remove Authenticated Users from the Security Filter via the GUI, it ALSO removes it from the Delegation tab. This used to not be a problem, now it is. :)

So, after you remove Authenticated Users from the Security Filtering, add them (back) into the Delegation tab (Read-only access should be enough), and then continue editing your Security Filter as you wish.

enter image description here

Picture source, and more info is available from MS here:

Deploying Group Policy Security Update MS16-072\KB3163622 (Posted June, 2016).

Ƭᴇcʜιᴇ007

Posted 2016-07-29T17:16:41.720

Reputation: 103 763

dude, you are the man. this explains why our GPO for a bunch of stuff stopped working recently. thank you so much – Vinny – 2016-07-29T17:55:20.957

Asked: 2016-07-29T17:16:41.720

Viewed: 15 701 times

Active: 2019-04-08T12:44:37.643