Jason Richmond
asked on
Can't apply GPO to computers in a security group
Computer as a member of a domain security group is not having a GPO applied.
Details:
Global Security group - SMBv1Disable
Members: about 15 computer accounts
GPO - Disable SMBv1
Delegation:
AUthenticated users - read (but not apply group policy)
Domain admins/Enterprise Admins/System - full control
Domain Computers - read (but not apply group policy)
SMBv1Disable (security group from above) read + apply group policy
I've rebooted a computer that is a member of the SMBv1Disable group
when running gpresult I get an error for my "Disable SMB v1" GPO: Access Denied (Security Filtering)
I don't understand what I have wrong in my security filtering that is preventing this GPO from being applied.
The GPO is linked to my top level domain.
Security filtering (as indicated above) is SMBv1Disable (the security group)
Any ideas?
Details:
Global Security group - SMBv1Disable
Members: about 15 computer accounts
GPO - Disable SMBv1
Delegation:
AUthenticated users - read (but not apply group policy)
Domain admins/Enterprise Admins/System - full control
Domain Computers - read (but not apply group policy)
SMBv1Disable (security group from above) read + apply group policy
I've rebooted a computer that is a member of the SMBv1Disable group
when running gpresult I get an error for my "Disable SMB v1" GPO: Access Denied (Security Filtering)
I don't understand what I have wrong in my security filtering that is preventing this GPO from being applied.
The GPO is linked to my top level domain.
Security filtering (as indicated above) is SMBv1Disable (the security group)
Any ideas?
ASKER
Latched to domain level.
Inheritance is enabled for everything.
Removed all security filtering except for System, SMBv1Disable, and Authenticated Users.
No change...
Inheritance is enabled for everything.
Removed all security filtering except for System, SMBv1Disable, and Authenticated Users.
No change...
can you logon to affected computer and check event viewer for system events, it will show errors
what setting you have applied through GPO?
it is user configuration setting or computer configuration setting?
If it is user configuration settings, you must also enable group policy loop back processing mode in replace mode in GPO
setting can be found under computer configuration\administrati ve templates\system\group policy
it is user configuration setting or computer configuration setting?
If it is user configuration settings, you must also enable group policy loop back processing mode in replace mode in GPO
setting can be found under computer configuration\administrati
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check the OU properties where group is residing \ advanced security tab if inheritance is disabled, if yes, enable it
also check OU from GPMC and if inheritance is blocked, unblock it and then run gpupdate on DC and reboot client and check if GPO applies or not
also from GPMC go to security filtering and only keep required group, remove everything else