I'm not sure why you're using security filtering. Is your objective to only have *some* DCs get this policy? If so, as Joe said those servers need to get the group membership into their access tokens. Ha! I saved a post which says how to do that without rebooting and it turns out it was from you!
I actually used the method you described after I added a server to a group about a month ago, so thanks. On Wed, Jan 3, 2018 at 3:26 PM, Michael Leone <oozerd...@gmail.com> wrote: > OK, I'm scratching my head over this. I made a new GPO, set it to > automatically install Windows Updates at a specific time. I set it to > filter only to an AD group. I linked it to the Domain Controllers OU. > Pretty much what I've always done. The only difference is that this > time, this new GPO is for my DCs. > > When I run a "gpresult /r", I see the new GPO being not applied, > because it was being filtered out. The reason shows as "Security". > > And I can't figure out what I did wrong. This particular DC is a > member of the AD group that this GPO is set to filter on. Now, the > "Default Domain Controllers Policy" is being applied. And this is just > set to filter on "Authenticated users". > > I don't get it. I checked the link order, and the updating GPO is a > lower number than the Default policy. Running the Group Policy > Modeling, I see the new GPO as a winning GPO. > > So what am I doing wrong? Where to look next, to figure out where this > filtering is taking place? > > > -- Charlie Sullivan Sr. Windows Systems Administrator Boston College 197 Foster St. Room 367 Brighton, MA 02135 617-552-4318