-1

I have the following Active Directory:

My Domain
--- Computers
------ Servers
------ Workstations
--------- My Workstation
--- Security Groups
------ MySecurityGroup (Members: MyUser, ...)
--- Users
------ Standard
--------- MyUser
------ Administrator

I created a GPO and linked it to the Users OU. The GPO only contains user settings.

I then removed Authenticated Users from the GPO Security Filter and added MySecurityGroup.

Unfortunately, Windows 7 Pro does not apply the group policy when MyUser logs into MyWorkstation.

If I add MyWorkstation to the GPO Security Filter, Windows 7 does apply the group policy.

Why do I need to add MyWorkstation to the security filter? The group policy is not linked to an OU that contains MyWorkstation so filtering by MyWorkstation should be meaningless.

Reed Elliott
  • 223
  • 2
  • 15
  • 1
    This is new behaviour, described in [KB3163622](https://support.microsoft.com/en-us/kb/3163622). Your computer can't apply the group policy to the user because it can't read the information in the GPO. The recommended solution is to give the Domain Computers group Read access (via the Delegation tab). – Harry Johnston Jun 25 '16 at 21:40
  • Thank you! I believed that Microsoft had changed something but wasn't able to find the information. The link to KB3163622 provided the information! – Reed Elliott Jun 27 '16 at 03:27

1 Answers1

0

The answer as provided by Harry Johnston in his comment to the original question is that Microsoft changed group policy functionality with the Security Update of Group Policy (MS16-072) which was released on June 14, 2016.

See KB3163622 for details.

Moving forward, you need to include Domain Computers along with your filter item in the group policy security filter.

Reed Elliott
  • 223
  • 2
  • 15