Group Policy not applying to security filtered user or group

 

Came across an issue this week where a newly imaged computer would not apply group policies that were filtered to an Active Directory group. GPResult showed no reference of the group policy, but it did show that the user was in the correct AD group.

 

After much research, I found that Microsoft released a Security Update for Group Policy on June 14, 2016 (https://support.microsoft.com/en-us/kb/3163622). This security update changes the way a client workstation reads the group policy. Prior to this update being installed, if a GP was a user policy, the policy would have been read by the current user’s credentials. Once the security update is applied to the client’s workstation, all group policies are read by the computer account.

 

To fix the issue, go to the group policy in which has security filtering and click on the Delegation tab. Click Add and add Authenticated Users with Read permission. Or, you can add Domain Computers with Read permission. Adding the permission under the Delegation tab with either method, only allows the computer accounts to read the policy to apply it based on the security filter. It will not apply to all authenticated users or domain computers.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>