I have a problem with my domain, were the group policies aren't applying.
I currently have two security groups; 1) 32bit clients 2) 64 bit clients In these two groups are our different computers, running 32bit and 64bit Windows 7.
In the GPMC I have made two policies that affect both the user’s desktop and computer settings. Now all I want to do is set it so the 32bit group get the 32bit policy, and the 64bit computers get the 64bit policy, but it isn't working.
Following various guides online to set up security filtering, I linked the GPO to the domain, went into the delegation tab, opened the ACL, unticked apply for Authenticated Users, added the 32 or 64 group, then clicked read and apply for them. I then went back to the client (in this case a 64bit PC), and once gpupdate /force had been completed, I ran a gpresult and it says that the GPO hasn’t been applied due to "Access Denied (Security Filtering)".
This has baffled me, as I've checked the PC is in the 64bit group, checked the read and apply settings but no luck. I've tried adding and removing Authenticated Users from the Security Filtering tab, but with no luck.
It's annoying me because this should be so simple!
Any help would be greatly appreciated.
Jake
Setup: Windows Server 2008
The message "Access Denied (Security Filtering)" usually means that the computer settings were not applied due to
gpupdatewas not run from an elevated command prompt.Also, I would use a wmi filter, so you don't need to manage groups. Another limitation with groups is the group membership does not take effect until a computer is restarted.
Windows 7 x64:
SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "6.1%" AND ProductType="1" AND OSArchitecture = "64-bit"
Windows 7 x86:
SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "6.1%" AND ProductType="1" AND NOT OSArchitecture = "64-bit"
More information:
Create WMI Filters for the GPO
http://technet.microsoft.com/en-us/library/cc947846%28WS.10%29.aspx
If the computers have been recently added to these security groups, then they need a reboot.
They won't have their new group memberships in their token until they get a new one, which is about a week by default (or until a reboot).
I ran into the same issue and found that because I had linked the GPO I had to select the shortcut of the GPO the choose Delegation in the right Pane. Choose Advanced, Authenticated Users and check "Apply Group policy" as it already had read.
I then went back to the server and ran (From elevated command prompt)
gpudate /force.Derek K's answer led me down the pointed toward the solution for me. I was applying the policy to the computer, but only users had permission to apply. Added computers to the permissions, and all was well.