Brief Note on Active Directory GPO Delegations

security Jun 25, 2018

After a recent upgrade to the 2012 AD functional level, I was surprised to find that several important GPO items were no longer being applied properly. After quite a bit of research, I eventually determined that this was because the effected policies were being filtered to only apply to certain security groups, none of which were the Authenticated Users group. I found a TechNet article (now lost a technet article) that stated weird things were occurring when the Authenticated Users group was unable to read the GPO. I redelegated Authenticated Users read access to the GPO but left them off the security filtering list, and suddenly all the the broken GPOs started working again.

TL;DR
Authenticated Users always needs read delegations to GPOs.

Ryan Buzzell

Computer Systems Engineer @ Eastman School of Music | Find me on the macadmins slack @rbuzzell https://macadmins.herokuapp.com/