You may arrive here if you are asking “Why are my group policies not applying unless the computer account has read permission” or possibly “Why won’t my group policy apply to user security filtering” or “What the fuck is group policy filtering denied unknown reason”.
These are all great questions, and I asked them myself today with somewhat more interlaced with profanity. The good news, is there is an answer. The bad news is you will be asking WTF Microsoft – again.
I’ll keep this short – if you are having problems with your group policies all of a sudden, and they are not applying to specific users that they have been filtered for, you should review this article:
Microsoft, in all their wisdom has decided that strictly filtering GPOs based on user context isn’t good enough, and they need to be filtered by computer. So to make your GPOs work, give the computer accounts read permission to the GPO. If you are like me and do a lot of user security group filtering for user settings, add “domain computers” to the delegation tab and give them read permission.
Why is this happening? I’m sure it’s important and as Microsoft says is a security thing, but I think they just like fucking with us System Administrators once in a while to keep us on our toes. This is what I imagine Microsoft is saying to me today:
Oh, did you approve that update without actually reading the KB article it’s attached to? Well look what happened, maybe you should do more research first before approving windows updates in your production environment.
Well, to that I have to say – Fuck you Microsoft.
If you ended up here before you pulled your hair out, you’re welcome. If it was afterward, don’t blame me – I did my best to put this out “in the cloud” for you.