We help IT Professionals succeed at work.

Can't apply GPO to computers in a security group

141 Views
Last Modified: 2019-02-08
Computer as a member of a domain security group is not having a GPO applied.
Details:

Global Security group - SMBv1Disable
Members: about 15 computer accounts

GPO - Disable SMBv1
Delegation:
AUthenticated users - read (but not apply group policy)
Domain admins/Enterprise Admins/System - full control
Domain Computers - read (but not apply group policy)
SMBv1Disable (security group from above) read + apply group policy

I've rebooted a computer that is a member of the SMBv1Disable group
when running gpresult I get an error for my "Disable SMB v1" GPO:  Access Denied (Security Filtering)

I don't understand what I have wrong in my security filtering that is preventing this GPO from being applied.
The GPO is linked to my top level domain.
Security filtering (as indicated above) is SMBv1Disable (the security group)

Any ideas?
Comment
Watch Question

MaheshArchitect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
where you latch the GPO? at domain level?

Check the OU properties where group is residing \ advanced security tab if inheritance is disabled, if yes, enable it
also check OU from GPMC and if inheritance is blocked, unblock it and then run gpupdate on DC and reboot client and check if GPO applies or not

also from GPMC go to security filtering and only keep required group, remove everything else
Jason RichmondPresident

Author

Commented:
Latched to domain level.

Inheritance is enabled for everything.
Removed all security filtering except for System, SMBv1Disable, and Authenticated Users.

No change...
MaheshArchitect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
can you logon to affected computer and check event viewer for system events, it will show errors
MaheshArchitect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
what setting you have applied through GPO?

it is user configuration setting or computer configuration setting?

If it is user configuration settings, you must also enable group policy loop back processing mode in replace mode in GPO
setting can be found under computer configuration\administrative templates\system\group policy
President
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.