question

ItsKoda avatar image
0 Votes"
ItsKoda asked ItsKoda commented

Applying GPO to Security Group not taking effect

I've spent the past 40 hours trying to figure out what's causing this, so far no luck, I've head dozens of articles & different questions of this topic and not a single one has helped with this... Just showing the problem isn't going to help because I've done the same as everyone else, so I'll try to explain what I've done so if maybe I've missed something then someone can point it out.

I make a new Organizational Unit called "Staff" under my forest.
39223-image.png

Then I make a security group called "Managers" & add a user under this group called "Ty".
39233-image.png

Then I go to the "Group Policy Management" tool (gpmc.msc).

I right click the "Staff" unit, then "Create a GPO in this domain, and link it here" called "Manager Policy".
39241-image.png

I click the new GPO, go to the Delegation tab, select advanced, then select "Authenticated Users", I keep read on but remove the tick from "Apply group policy".
Then I add the "Managers" group and check "Apply group policy" for it.
39164-image.png

Now I right click the "Manager Policy" and select Edit.
39110-image.png

I navigate to "User Rights Assignment" under "Computer Configuration" and define "Access this computer from the network" with "Everyone" & "Allow log on through Remote Desktop Services" with "HORIZONS\Managers".
39200-image.png

Once I have added the Policies, I open the command prompt and type "gpupdate /force".
39204-image.png

Then I check to see if its applied using "gpresult /r /scope computer" which displays that the GPO has not been applied.
39126-image.png

& to double check I try logging into the account in which I receive "The connection was denied because the user account is not authorized for remote login.".
39145-image.png

What am I doing wrong or missing? I've spent too long trying to do something that should be so straightforward...


windows-serverwindows-active-directorywindows-server-2019windows-group-policy
image.png (9.7 KiB)
image.png (18.7 KiB)
image.png (17.5 KiB)
image.png (35.5 KiB)
image.png (35.5 KiB)
image.png (163.6 KiB)
image.png (17.3 KiB)
image.png (73.2 KiB)
image.png (12.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
1 Vote"
FanFan-MSFT answered ItsKoda edited

Hi,

1,Make sure that the server is in the "Staff" OU you created before.
For example, i want to apply policy to server1, and the server1 is in the OU named "SERVERS"
39248-11122.jpg

2,Then i have to link the GPO on the OU "SERVERS" containing the SERVER1.And make sure the permissions delegated rightly.
39167-11123.jpg



11122.jpg (40.3 KiB)
11123.jpg (109.9 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Okay, so following this, now when I run gpresult it states that it is applied :)
39309-image.png

I then remade the user in the "Domain Controllers" that was with the computer, I couldn't add the ALPHA computer into staff since it already exists in Domain Controllers.
I ran gpupdate /force on admin and tried logging in, it still fails to connect to RDP, I don't know what it is, heres what I have so far.

39392-image.png
39384-image.png
39334-image.png
39347-image.png
39348-image.png


0 Votes 0 ·
image.png (7.0 KiB)
image.png (30.0 KiB)
image.png (16.3 KiB)
image.png (34.4 KiB)
image.png (48.3 KiB)
image.png (41.9 KiB)
FanFan-MSFT avatar image
1 Vote"
FanFan-MSFT answered ItsKoda commented

Hi,

I think i figured out why the group policy didn't apply.

Before going further, we’d better confirm the difference between Computer Configuration and User configuration.
Computer Configuration in Group Policy is applied to computers, regardless of who logs on to the computers.
User Configuration in Group Policy is applied to users, regardless of which computer they log on to.
Computer Configuration
http://technet.microsoft.com/en-us/library/cc736413(v=ws.10).aspx
User Configuration
http://technet.microsoft.com/en-us/library/cc781953(v=ws.10).as


As you mentioned above ,the policy "User Rights Assignment" is a "Computer Configuration" it can be only linked to OUs containing computer objects.
But the Organizational Unit called "Staff" contains no computers. So the policy would not apply.

And in the security filter, if you remove the apply permission for the authenticated users , we have to put the computers (not users) into one security group and give it read and apply permission.
Or keep the authenticated users read and apply permission, then you don't need to add any groups into the security filter.

Last ,since it is a computer policy , when you update the policy by command , run the command as administrator ,or restart the computer.
Hope it would be helpful.


Best Regards,







· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thankyou for the reply @FanFan-MSFT
So I decided that applying the GPO's to the computer would be easier if not better than applying them to the user groups them selves.
So I started off by making a Security group called "Computers" I added the server thats running "ALPHA" to this group, I then added "Authorized Users" back to the the applied under delegation, removed managers from the delegation & added "Computers" with applied checked to the delegation, I ran gpupdate /force with administrator on the console, ran the gpresult and got the same answer as earlier, also tried logging in which also failed.
Really confused with all this...

39218-image.png


0 Votes 0 ·
image.png (273.5 KiB)

you said that you did add the server "ALPHA" as a member of the security group "Computers", but, the gpresult does not reflect this.
Did you restart the server "ALPHA" after adding the group?
Computers don't recheck their group memberships until a reboot...
Users don't recheck their group memberships until a logoff/logon...

1 Vote 1 ·

Thanks, I'll try this when I reattempt this method :)

0 Votes 0 ·