Have you rebooted the DC so it picks up the group membership? I think you can check with Process Explorer in the details window of a process running as System to see the groups it believes itself to be a member of.
On Jan 3, 2018 15:32, "Michael Leone" <oozerd...@gmail.com> wrote: OK, I'm scratching my head over this. I made a new GPO, set it to automatically install Windows Updates at a specific time. I set it to filter only to an AD group. I linked it to the Domain Controllers OU. Pretty much what I've always done. The only difference is that this time, this new GPO is for my DCs. When I run a "gpresult /r", I see the new GPO being not applied, because it was being filtered out. The reason shows as "Security". And I can't figure out what I did wrong. This particular DC is a member of the AD group that this GPO is set to filter on. Now, the "Default Domain Controllers Policy" is being applied. And this is just set to filter on "Authenticated users". I don't get it. I checked the link order, and the updating GPO is a lower number than the Default policy. Running the Group Policy Modeling, I see the new GPO as a winning GPO. So what am I doing wrong? Where to look next, to figure out where this filtering is taking place?
