As a result of administrators not designing Active Directory (AD) well, further poor decisions are made when applying Group Policy Objects (GPOs). What I often see is that administrators will use security filtering for GPOs to target which objects will receive the GPO and the  settings it contains.

A key mistake administrators make when applying GPOs is using the security filtering configuration. Figure 1 illustrates what this setting looks like and where it is located.

Figure 1. Security filtering for GPOs.

Security filtering is per GPO and alters the GPO access control list (ACL). By default, all users and computers in AD have the ability to apply every GPO, so altering this is a major change to the default behavior. Microsoft designed GPOs to apply to all AD users and computers so organizations could design their AD for GPO deployment and ease of troubleshooting. Microsoft chose to provide security filtering for those unique cases where the AD design was not sufficient for applying the settings in a targeted manner to users and computers.

Security filtering is a mistake due to the complexity it adds to not only applying GPOs, but also to troubleshooting them. Therefore, if you find yourself struggling to track down GPO application issues, it might be beneficial to look at how your GPOs are applied and how many security filters you’re using. Stay tuned for Part 3 of my blog series on common GPO mistakes!

Derek is the author of the Group Policy Resource Kit from Microsoft Press.