I notice that anything I add to Security Filtering
also appears under Delegation
, so I’m not sure how or why they both exist, and if they are redundant or not?
Until now I had been exclusively using Security Filtering
to determine whether a GPO gets applied and to which groups, but now there is a new patch to Windows Server which stops my GPOs from applying unless I add Domain Computers
to Security Filtering
... (GPOs fail to apply; reason: Inaccessible, Empty, or Disabled; Server 2012 R2 and Windows 10)
This seems very confusing to me, as I always thought that GPO rights would be read independently based on all my experience with Windows privileges. In other words, if I have Bob
and Sue
in Group A
and Bob
and Bill
and Sarah
in Group B
, and I add Group A
and Group B
to a GPO with Read
and Apply
set, then I expect that the GPO will apply to Bob
, Sue
, Bill
, and Sarah
. (Effectively a logical OR
operation: if a user is in Group A
or Group B
, apply the policy).
Therefore, if I add Group A
and Domain Computers
to the Security Filtering
tab, I’d expect the GPO to apply to Bob
and Sue
, but also to every computer in the domain, effectively rendering Group A
redundant, since every computer receiving the GPO will always be part of the domain.
However, the post by user Adwaenyth (GPOs fail to apply; reason: Inaccessible, Empty, or Disabled; Server 2012 R2 and Windows 10) seems to imply that Security Filtering
is now operating via an AND
kind of logic, where the target must be a member of all groups for the GPO to apply. In my example of Group A
and Group B
above, then, only Bob
would apply the GPO, as he is the only one in both groups.
This whole mystery would be solved for me if I only needed to add Read
rights, and not Apply
rights, to Domain Computers
. But then why do I need to add Domain Computers
to Security Filtering
where Apply
rights are automatically granted? This all comes back again to the same question of what, effectively, is the difference between Security Filtering
and Delegation
? I’m aware that Delegation
is also for granting users and limited admins the ability to edit, modify, or delete a GPO. But what if I use Delegation
to manually give an entity Read
and Apply
rights? Is that the same as putting the entity in Security Filtering
?
This question is also posed here: Does a GPO apply if "Security Filtering" tab is empty, but there is a security group in Delegation which has Read and Apply right?
If you use the delegation tab of a GPO and click advanced you can assign the Read and Apply permissions to a user or group. if you do this (and if the GPO is linked to the correct level) then the GPO will apply to that user or group. more than this if you do use the delegation tab and click advanced and assign the read and apply permissions to a user or group then that user or group will appear in the security filtering section of the GPO.
in reverse if you edit the security filtering section and add a user or group then that user or group will appear on the delegation tab and if you look at advanced you will see that the user or group has appeared there with the read and apply permissions.
So the security filtering and the delegation tab advanced are doing the same thing!
However using delegation tab you can assign additional permission for the GPO so you could assign permission to edit the gpo for example. in short the delegation tab is more powerful but if you just want the GPO to apply to a user or group you can use either the security filtering or the adv section of the delegation tab.