Can't apply GPO to computers in a security group

Jason Richmond
Jason Richmond used Ask the Experts™
on
Computer as a member of a domain security group is not having a GPO applied.
Details:

Global Security group - SMBv1Disable
Members: about 15 computer accounts

GPO - Disable SMBv1
Delegation:
AUthenticated users - read (but not apply group policy)
Domain admins/Enterprise Admins/System - full control
Domain Computers - read (but not apply group policy)
SMBv1Disable (security group from above) read + apply group policy

I've rebooted a computer that is a member of the SMBv1Disable group
when running gpresult I get an error for my "Disable SMB v1" GPO:  Access Denied (Security Filtering)

I don't understand what I have wrong in my security filtering that is preventing this GPO from being applied.
The GPO is linked to my top level domain.
Security filtering (as indicated above) is SMBv1Disable (the security group)

Any ideas?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
MaheshArchitect
Distinguished Expert 2018

Commented:
where you latch the GPO? at domain level?

Check the OU properties where group is residing \ advanced security tab if inheritance is disabled, if yes, enable it
also check OU from GPMC and if inheritance is blocked, unblock it and then run gpupdate on DC and reboot client and check if GPO applies or not

also from GPMC go to security filtering and only keep required group, remove everything else

Author

Commented:
Latched to domain level.

Inheritance is enabled for everything.
Removed all security filtering except for System, SMBv1Disable, and Authenticated Users.

No change...
MaheshArchitect
Distinguished Expert 2018

Commented:
can you logon to affected computer and check event viewer for system events, it will show errors
MaheshArchitect
Distinguished Expert 2018

Commented:
what setting you have applied through GPO?

it is user configuration setting or computer configuration setting?

If it is user configuration settings, you must also enable group policy loop back processing mode in replace mode in GPO
setting can be found under computer configuration\administrative templates\system\group policy
A few reboots (it took 5) fixed it

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial