Brief Note on Active Directory GPO Delegations

security Jun 25, 2018

After a recent upgrade to the 2012 AD functional level, I was surprised to find that several important GPO items were no longer being applied properly. After quite a bit of research, I eventually determined that this was because the effected policies were being filtered to only apply to certain security groups, none of which were the Authenticated Users group. I found a TechNet article (now lost a technet article) that stated weird things were occurring when the Authenticated Users group was unable to read the GPO. I redelegated Authenticated Users read access to the GPO but left them off the security filtering list, and suddenly all the the broken GPOs started working again.

Authenticated Users always needs read delegations to GPOs.

Ryan Buzzell

Computer Systems Engineer @ Eastman School of Music | Find me on the macadmins slack @rbuzzell