Typically, Windows Group Policy settings are applied by propagating them to a particular domain or workgroup. But what happens when you set a Group Policy and it isn't being applied? This is a common problem faced by many users and administrators and can be caused by a couple of things.
One of the most common causes for this issue is security filtering. Security filtering determines who and what Security Groups the settings apply to, and it can be configured incorrectly. This article will explain what Security Filtering is and how to troubleshoot it.
What is Security Filtering?
Security Filtering is a feature of Group Policy that allows you to selectively target policy settings to certain users and/or computer accounts in order to reduce the amount of settings that must be applied to each user and machine. By using Security Filtering, you can ensure that policies which should only be applied to certain users or computers are only applied to those targets.
When Security Filtering is applied to a Group Policy, only the security principals (users and computers) which have been explicitly added to the Security Filtering settings will receive those policy settings. If a security principal isn't included in the Security Filtering settings, then it won't receive those policy settings. This can cause problems because policy settings which are supposed to be applied to a particular user or computer account may not be applied if they aren't included in the Security Filtering settings.
How to Troubleshoot Security Filtering
If you are having problems with policy settings not being applied to certain users or computers, then the first thing you should check is the Security Filtering settings for that particular policy. Here are the steps to follow to troubleshoot Security Filtering:
- Open the Group Policy Management Console (GPMC).
- In the left pane, select the Group Policy Object (GPO) you want to troubleshoot.
- In the right pane, select the Settings tab.
- In the Group Policy settings pane, find the policy setting you are having a problem with.
- Bring up the properties of the selected policy setting.
- Select the Security Filtering tab.
- Review the security principals listed in the selected policy setting.
- Verify that the security principals you are expecting to receive the policy setting are listed.
- If the security principals are not listed, then you need to add them.
- After adding the appropriate security principals, click OK to save the changes.
- Repeat this process for all the policy settings that you are having a problem with.
What Is the Difference Between Security Filtering and WMI Filtering?
Security Filtering applies policies to a select set of users and/or computer accounts, while WMI Filtering applies policies based on certain criteria such as operating system or hardware configuration.
What If a Security Principal Is Not Listed in the Security Filtering Settings?
If a security principal is not listed in the Security Filtering settings, then it will not receive the policy settings associated with that GPO. You can add the security principal to the Security Filtering settings in order to apply the policy settings to them.
How Do I Add a Security Principal to the Security Filtering Settings?
To add a security principal to the Security Filtering settings, select the Security Filtering tab of the policy setting, and then click the Add button. In the Select Users, Computers, Service Accounts, or Groups window, you can then enter the name of the security principal which you want to add.
Can I Manage Security Filtering from the Command Line?
Yes, you can manage Security Filtering from the command line. You can use the Group Policy PowerShell cmdlets to configure Security Filtering settings for a Group Policy.
How Do I Verify That a Group Policy Is Applied to a Security Principal?
To verify that a Group Policy setting has been applied to a particular security principal, you can use the Group Policy Result Tool (GPResult). GPResult will show the list of policy settings that have applied to a particular user or computer and will indicate if the policy settings have been applied or not.