We help IT Professionals succeed at work.

GPO Security Filtering and Security Settings Interpretation

I'm building some User GPOs and am seeing some things that I don't yet understand:

In the Scope tab:
I see the one Link that applies - so no surprise there.
I see Security Filtering and I see only one Group there - it's the Group I intend the GPO to apply to but others (like Groups with DENY) aren't listed here.  
The Security Filtering section clearly states: The settings in this GPO can only apply to the following groups, users, and computers
So far, this makes sense to me.


In the Settings tab:
The General \ Security Filtering section also says "The settings in this GPO can only apply to the following groups, users, and computers:"
and the contents say "None"
The General \ Delegation section  "These groups and users have the specified permission for  this GPO"
It only lists one, rather obscure User with Custom "Allowed permissions".  Correct enough but not what I'd expect as it's incomplete.

In the Delegation tab \ Advanced (which is Titled: GPO Security Settings)
The Group or user names seems complete.

How is one to interpret all these?
Are we to just ignore some of them?
Are we to pay close attention to some of them?
Why would they be different?
Comment
Watch Question

System Admin
Commented:
Here is a good article that explains most of the permissions around GPO's and will probably answer most of your questions.

https://social.technet.microsoft.com/wiki/contents/articles/51876.group-policy-filtering-and-permission.aspx


However basically
Scope is what your policy would apply to. (basically selection of the OU it applies to)
The security filtering is just a quick way of adding or removing permissions that will translate over to the delegation.
WMI filtering can be use to apply the policy to computers or users based on conditions that the WMI query can return.

The settings tab is the settings tab is used to view settings that were configured when you edit the policy.
As for the security filtering you see her if you specify specific users instead of authenticated users you would see it listed there.
The delegation section would reflect items that you specify in the delegation tab.

The Delegation tab will reflect permissions that are on all GPO. based on your AD configuration as well as any items you add on the scope tab in the security filter section.

Don't forget if you remove authenticated users and want to apply to specific group or list of users you will need to add domain computers to the delegation tab and allow them to read but not apply the policy. (due to a security update a few years back this is needed)

Author

Commented:
Thank you!!
Shaun VermaakSenior Consultant
Awarded 2017
Distinguished Expert 2019

Commented:

Don't forget if you remove authenticated users and want to apply to specific group or list of users you will need to add domain computers to the delegation tab and allow them to read but not apply the policy. (due to a security update a few years back this is needed)

I would leave Authenticated Users and instead set it ( Authenticated Users) to Read


Author

Commented:
Interesting.... so here's a nagging question that I should ask:

Do I have it correct that Authenticated Users includes the members of Domain Computers?  
If so, Authenticated Users is a broader group than Domain Computers.
If so, with Authenticated Users one doesn't need Domain Computers listed as well.
If so, Domain Computers being "good enough" then Authenticated Users is overkill?
Shaun VermaakSenior Consultant
Awarded 2017
Distinguished Expert 2019

Commented:

Do I have it correct that Authenticated Users includes the members of Domain Computers?  

Yes

If so, Authenticated Users is a broader group than Domain Computers.

Yes

If so, with Authenticated Users one doesn't need Domain Computers listed as well.

Yes

If so, Domain Computers being "good enough" then Authenticated Users is overkill?

Just like domain computers wasn't required, domain users are not required BUT nothing stops that from changing when a new attack/security risk is found.