So I have spend quite a few hours researching the GPO Security Filtering, and followed a good bunch of reliable sources in my attempt to get it to work properly. None of the sources made it work, and some of them were:
- http://xtravirt.com/configuring-group-policy-security-filtering-2/blog
- https://technet.microsoft.com/en-us/library/cc752992(v=ws.11).aspx
- https://www.youtube.com/watch?v=CWqYCHth0mg
- https://www.petri.com/forums/forum/microsoft-networking-services/gpo/64348-security-filtering-on-gpo
- https://www.youtube.com/watch?v=1zmuOfxHM14
- https://community.spiceworks.com/topic/1138273-windows-2012-r2-gpo-security-filtering-not-working
- https://community.spiceworks.com/topic/1695019-gpo-security-filtering-not-working-when-assigned-to-ad-groups
Purpose of the Security Filtering
I applied a GPO to an OU with a handful of users, but I wanted the GPO to target only a subset of the users in the OU. So I wanted the GPO to target a group, where user members of that group would have the GPO applied.
How Security Filtering works
But a GPO does not process a Security Group. It process users and computers, but Security Filtering allows me to “scope” the GPO so that it applies only to members of the security group.
How to configure Security Filtering on a Security Group
For this test I used Server 2012 R2 domain controller, and two Windows 10 Pro each joined to the domain.
- Create an OU with user accounts inside.
- Create a Security Group and make the users you wish to be targeted by the GPO member of it. It does not matter if the Security Group is inside the OU or not. It can be anywhere in the domain, as long as the users themselves are in the OU.
- Create a GPO and link it to the new OU (right-click OU and select “Create a GPO in this domain, and link it here”.)
- Edit the GPO and make the desired changes. In this example I am going to Prohibit access to the control panel in User Configuration > Policies > Administrative Templates > Control Panel, and then enable Prohibit access to Control Panel and PC settings.
- Now, in the gpmc.exe of the new GPO go to the Delegation tab and press Advanced.
- Select Authenticated Users and remove Apply Group Policy, while still allowing Read. Authenticated Users consists of both users and computers, and the GPO is processed by both even though it is only a user configuration policy.
- Add the security group to the list and allow Read and Apply Group Policy, and then verify that the Security Group with the user members you wish to be targeted by the GPO is in the Security Filtering of the Scope tab.
- Next, reboot the target computer and login.
- Sign out and sign in.
Step 8 and 9 had me confused since I thought a gpupdate /force in an elavated command prompt on the target computer would be enough. For this specific GPO setting though, I did 50+ tests to confirm even a reboot was not enough. I had to actually reboot + sign in, and then sign out and sign back in. I could also sign out and sign in, and then reboot and sign in… And then it’d work. No other constellation, with or without gpupdate /force worked for me. Gpupdate /force did nothing.
So I learned that gpupdate /force is not always reliable, and some GPO settings will need a reboot and “re-logins”…. Thanks Bill Gates..
So, having done this right I can now move domain members in and out of the security group based on whether I’d like the GPO applied to them or not. Just make sure all users are within the OU that has the GPO linked.
Example: If I wanted to make a new user Mark Anderson targeted by the GPO, I would then move him to the respective OU, join him to the Security Group, reboot the domain computer, sign into the computer as Mark, sign back out, sign back in as Mark again, and then it would work.
Pictures here:
IT vlab 
Could not get my GPO filtering to work. Thanks very much.