On 19/12/16 15:55, L.P.H. van Belle via samba wrote:> Did you add "domain computers" to the security filter also with Read/apply? > > >Hi Louis, Miguel, I'm applying it to specific computers, so I've created a group with those machines in it. It's not that the problem is applying the GPOs to the machines in the OU and group, the access denied message is a popup in Group Policy Management at the moment I try to add more that 6 entries in the Security Filtering box. Cheers, Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).
>> I'm applying it to specific computers, so I've created a group with those machines in it.>> It's not that the problem is applying the GPOs to the machines in the OU and >> group, the access denied message is a popup in Group Policy Management at the >> moment I try to add more that 6 entries in the Security Filtering box.The same happened to me once but I solved it. I don't quite remember if it was solved at the same time as I applied the correction I posted earlier. Can you verify that on the "Delegation" tab you have "Authenticated Users" with "Read" privilege?
>> No, I don't, because this is a loopback and I only want certain >> users on these computers to have the screensaver and lock disabled. If I did that it would apply to everyone.No, it wouldn't apply to everyone. As of April this year, according to Microsoft, all policies must have "Authenticated Users" with "Read" privilege. Note that in order to apply a policy you need to have "Read" AND "Apply" under security filtering.
>> No, it wouldn't apply to everyone. As of April this year, according to Microsoft, >> all policies must have "Authenticated Users" with "Read" privilege. Note that in order >> to apply a policy you need to have "Read" AND "Apply" under security filtering.I mean *as of June this year*. Sorry.
On 19/12/16 17:57, Miguel medalha wrote:>>> No, I don't, because this is a loopback and I only want certain >>> users on these computers to have the screensaver and lock disabled. If I did that it would apply to everyone. > No, it wouldn't apply to everyone. As of April this year, according to Microsoft, all policies must have "Authenticated Users" with "Read" privilege. Note that in order to apply a policy you need to have "Read" AND "Apply" under security filtering. >If that is the case, why when "Authenticated users" is in the list, it applies to *every* user on those machines? Right now it behaves as expected but I just won't be able to add more that 6 entities to the list when I finally need to. The 7th one I try to add is *no* different to any of the other's I added before. There also is no option to change anything with regard to "read" or "apply" in security filtering. When it's a loopback policy, according to MS you have to either add either "Domain Computers", a particular computer account, or a group of computer accounts. This works for me, until I will have to add more than 6 groups or accounts! Cheers Alex -- This message is intended only for the addressee and may contain confidential information. Unless you are that person, you may not disclose its contents or use it in any way and are requested to delete the message along with any attachments and notify us immediately. This email is not intended to, nor should it be taken to, constitute advice. The information provided is correct to our knowledge & belief and must not be used as a substitute for obtaining tax, regulatory, investment, legal or any other appropriate advice. "Transact" is operated by Integrated Financial Arrangements Ltd. 29 Clement's Lane, London EC4N 7AE. Tel: (020) 7608 4900 Fax: (020) 7608 5300. (Registered office: as above; Registered in England and Wales under number: 3727592). Authorised and regulated by the Financial Conduct Authority (entered on the Financial Services Register; no. 190856).