Unable to apply Group Policy due to Filtering: Denied (Security)

People,

Can anyone here please assist me in troubleshooting the Group Policy issue where it is showing like the below:
 Apply Outlook Signature (User Policy)
            Filtering:  Denied (Security)

Open in new window


I have done:
1. Added the user to the proper AD security group called "Corporate User" where this group is then added as the Security filtering under the Scope tab.

2. Added the same AD security group called "Corporate User" into the Delegation tab.

But somehow the GPO is not applied successfully and GPresult /R shows: Filtering:  Denied (Security)

Any help would be greatly appreciated.

Thanks,
LVL 13
Senior IT System EngineerSenior Systems EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

oBdACommented:
I guess you did remove the "Authenticated Users" from the Security Filtering, so that now only "Corporate User" is left?
Add "Domain Computers" with at least Read permissions to the GPO as well; this is required since the security update KB3163622 (by design, not a bug!).
Details are here:
Deploying Group Policy Security Update MS16-072 \ KB3163622
https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/
Senior IT System EngineerSenior Systems EngineerAuthor Commented:
Possibly,
So I guess it can fix this issue not making it any worst?
oBdACommented:
Yes, giving the computer account(s) Read access will solve this. Been there, done that.
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

Senior IT System EngineerSenior Systems EngineerAuthor Commented:
OK, so for the below Group Policy Object:

For User Policy enabled [Computer Policy disabled] with the Security Filtering, the below must be added as minimal:
AD security group where the user account is residing.
Authenticated Users
Domain Computers
Delegation tab must contain:
AD security group where the user account is residing - Read From Security Filtering
Authenticated Users - Read From Security Filtering
Domain Computers - Read From Security Filtering

what about for the other GPO, Computer Policy enabled [User Policy disabled] with the Security Filtering ?
oBdACommented:
If you want to restrict a User GPO to a group of users, all you need in Security Filtering is the group.
Then either ...
- If the GPO only has User policies, you can just add the group "Domain Computers" in Security Filtering as well.
or
- Add the group "Domain Computers" in the Delegation tab with only Read permissions.

For Computer policies, nothing changed with that hotfix.

Security Filtering is just a simplified view of the Delegation tab.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PberSolutions ArchitectCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: oBdA (https:#a42279752)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Pber
Experts-Exchange Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Enterprise

From novice to tech pro — start learning today.