Roger Pray
asked on
Two GPO's - one gets applied the other does not
I have two GPO's in a testing OU with inheritance blocked - one has a link order of 6 and is called "Deny Add Printer" and the other has a link order of 5 and is called "Allow Add Printer".
The Deny GPO has security filter for Authenticated Users and denies users the ability to add printers to their workstation: User Config/Policies/Admin templates/Control Panel/Printers - Prevent Addition of Printers = Enabled.
The Allow GPO has a security filter that is set to a specific AD Group of users that should be allowed to add printers, User Config/Policies/Admin templates/Control Panel/Printers - Prevent Addition of Printers = Disabled.
My understanding is that the link order item at 6 should get processed, and deny the addition of printers for all users, then link order 5 gets processed, determines my account is a member of the specific AD Group and enable the addition of printers. However, when I RSOP Prevent Addition of Printers is enabled and when I do an GPRESULT, there is no sign that the Allow GPO was ever processed.
If I remove the link on the Deny GPO, the Allow GPO processes just fine.
I am at a loss as to what is causing this, we've tried putting an enforce on the Allow GPO, we've moved it to a link order of 1 - nothing has worked.
The Deny GPO has security filter for Authenticated Users and denies users the ability to add printers to their workstation: User Config/Policies/Admin templates/Control Panel/Printers - Prevent Addition of Printers = Enabled.
The Allow GPO has a security filter that is set to a specific AD Group of users that should be allowed to add printers, User Config/Policies/Admin templates/Control Panel/Printers - Prevent Addition of Printers = Disabled.
My understanding is that the link order item at 6 should get processed, and deny the addition of printers for all users, then link order 5 gets processed, determines my account is a member of the specific AD Group and enable the addition of printers. However, when I RSOP Prevent Addition of Printers is enabled and when I do an GPRESULT, there is no sign that the Allow GPO was ever processed.
If I remove the link on the Deny GPO, the Allow GPO processes just fine.
I am at a loss as to what is causing this, we've tried putting an enforce on the Allow GPO, we've moved it to a link order of 1 - nothing has worked.
masnrock
Would it be possible to see the 2 GPOs?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just an FYI in case you run into this in the future. I was trying to implement a GPO with a change to the default security settings like you were in your Allow GPO. I was having trouble getting it to work. I found two things that seemed to fix that. One was to make sure that the Security group was a global and not a universal group. The second thing was that MS released a security patch in 2016 that "broke" this feature. The answer is to add either Domain Computers or Authenticated Users to the Delegation tab of the GPO and give it read permissions. Since I was doing a user GPO, I chose to put in Authenticated users.
ASKER
I resolved the issue after having posted the question, resolution is in the follow-up post.