Mark
asked on
GPO error Access Denied (Security Filtering)
Im having a GPO fail applying with this error "Access Denied (Security Filtering). This was an existing GPO that I added a couple of things to, compatibility view for IE and trusted sites. Both of these setting had sites in there so I just added to them. I checked permissions and authenticated users have read and apply group policy permissions. The servers (RDS) that Im attempting to apply this GPO to has been rebooted also. My hunch is it was failing for a while I cant see how the settings I added caused the issue. Servers are running 2016. Any ideas on how to resolve this?
Any deny permissions set?
ASKER
No and it doesnt apply the GPO when I logon as a domain admin either.
Can you list the GPO ACL, please?
https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gppermission?view=windowsserver2022-ps
https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gppermission?view=windowsserver2022-ps
ASKER
here it is
Looks good
Please verify if replication is running between DCs. This access denial can be a result of an NTFRS journal wrap. That would manifest in the DC event log (check each DC) like this: FRS Event ID 13568
Please verify if replication is running between DCs. This access denial can be a result of an NTFRS journal wrap. That would manifest in the DC event log (check each DC) like this: FRS Event ID 13568
ASKER
I currently only have 1 DC
Ok. And where does it say "access denied"? In gpresult?
ASKER
Here you go
Funny. You could remove the server from the domain and join it again for a test.
And also use procmon while doing a gpupdate /force on an elevated command prompt and filter for "access denied" to see what happens.
And also use procmon while doing a gpupdate /force on an elevated command prompt and filter for "access denied" to see what happens.
ASKER
I was looking at gpresult info this morning and I noticed that the GPO in question does apply to computer settings and only fails on user settings.
Is that GPO attached to an OU with users? Else, with computers, user settings cannot apply, anyway.
ASKER
Its applied to a OU with the RDS servers in it not applied to a user OU. I should have checked this yesterday but I didnt, I have 3 RDS servers and only 1 is having this issue with the GPO the other 2 are applying the user settings with no issues. All 3 servers are in the same OU
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I had tried gpupdate previous to opening this ticket. And your correct I fd the setting location and I will move it an