Policy settings incorrectly applied or denied due to security filtering
Updated: March 2, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
If you are using security filtering, you may need to check permissions on the GPO if you are encountering unexpected behavior.
You can use Group Policy to provide or deny access to programs and data in your network, and to enforce policies regarding computer configuration based on assigned privileges and security group memberships. You accomplish this by using the access control functionality built in to Windows 2000 Server and Windows Server 2003 domains and is known as security filtering.
You can restrict application of all the settings in a GPO on the basis of security group memberships by setting a security filter on that GPO. If the computer account or user account does not meet the security filtering criteria, the entire GPO will be denied at that client. For example, you can assign special settings to all the administrators in a portion of the hierarchy by setting the security filter to apply the GPO to all administrators, and then linking the GPO to the highest node in the portion of the hierarchy where you want the settings to apply. All users in that portion of the hierarchy will receive the GPO, but only members of the administrators group will be affected by it.
A security group, user or computer must have both Read and Apply Group Policy permissions for a policy to be applied. By default, all users and computers have these permissions for all new Group Policy Objects. These permissions are inherited from their membership in the implicit group Authenticated Users. An authenticated user is any user (or computer) that has logged on to the domain and been authenticated.
To see the security groups that were in effect when Group Policy was applied to a specific computer, look in the Group Policy Results report for that computer. Under both Computer Configuration Summary and User Configuration Summary, expand Security Group Membership when Group Policy was applied.To check security filtering on a GPO
In GPMC, open Group Policy Objects node, select the GPO you are troubleshooting, and then in the right pane select the Scope tab. The Security Filtering and WMI Filtering panels show the current filtering configuration.
To see the exact set of permissions for users, groups and computers, select the Delegation tab and then click Advanced. Select the security group, user or computer you want to review. Keep the following in mind:
If the policy object should be applied to the security group, user or computer, the minimum permissions should be set to allow Read and Apply Group Policy.
If the policy object should not be applied to the security group, user or computer, the minimum permissions should be set to allow Read and deny Apply Group Policy.
- If the policy object should be applied to the security group, user or computer, the minimum permissions should be set to allow Read and Apply Group Policy.
If a GPO is incorrectly denied or applied due to security filtering because the user or computer had different security group memberships than expected, use Active Directory Users and Computers to check and, if necessary change, the security group memberships.
When restricting the application of a GPO, be sure to remove Authenticated Users. Otherwise all users will always be affected by the GPO.
Computers are members of the Authenticated Users group. If you remove Authenticated Users from the list on the Scope tab and you want the GPO to apply to a computer, you must specifically ensure that the computer belongs to a group that is included in the Security Filtering section on the Scope tab.