Avatar of Jason Richmond
Jason Richmond
Flag for United States of America asked on

Can't apply GPO to computers in a security group

Computer as a member of a domain security group is not having a GPO applied.

Global Security group - SMBv1Disable
Members: about 15 computer accounts

GPO - Disable SMBv1
AUthenticated users - read (but not apply group policy)
Domain admins/Enterprise Admins/System - full control
Domain Computers - read (but not apply group policy)
SMBv1Disable (security group from above) read + apply group policy

I've rebooted a computer that is a member of the SMBv1Disable group
when running gpresult I get an error for my "Disable SMB v1" GPO:  Access Denied (Security Filtering)

I don't understand what I have wrong in my security filtering that is preventing this GPO from being applied.
The GPO is linked to my top level domain.
Security filtering (as indicated above) is SMBv1Disable (the security group)

Any ideas?
* gposActive DirectorySecurity

Avatar of undefined
Last Comment
Jason Richmond

8/22/2022 - Mon

where you latch the GPO? at domain level?

Check the OU properties where group is residing \ advanced security tab if inheritance is disabled, if yes, enable it
also check OU from GPMC and if inheritance is blocked, unblock it and then run gpupdate on DC and reboot client and check if GPO applies or not

also from GPMC go to security filtering and only keep required group, remove everything else
Jason Richmond

Latched to domain level.

Inheritance is enabled for everything.
Removed all security filtering except for System, SMBv1Disable, and Authenticated Users.

No change...

can you logon to affected computer and check event viewer for system events, it will show errors
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy

what setting you have applied through GPO?

it is user configuration setting or computer configuration setting?

If it is user configuration settings, you must also enable group policy loop back processing mode in replace mode in GPO
setting can be found under computer configuration\administrative templates\system\group policy
Jason Richmond

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question