Re: [NTSysADM] New GPO for DC being filtered out

On Wed, Jan 3, 2018 at 4:43 PM, Charles F Sullivan wrote: > I'm not sure why you're using security filtering. Is your objective to only > have *some* DCs get this policy? Correct. I can't have all DCs rebooting to install updates at the same time. So I want 1 to reboot

Re: [NTSysADM] New GPO for DC being filtered out

The DC’s computer object definitely has permissions to read the GPO? Jack Kramer, Senior Consultant Small Type Computing - www.smalltype.net W: 855-765-8973 x101 - C: 248-635-4955 > On Jan 3, 2018, at 3:26 PM, Michael Leone wrote: > > OK, I'm scratching my head over

Re: [NTSysADM] New GPO for DC being filtered out

I'm not sure why you're using security filtering. Is your objective to only have *some* DCs get this policy? If so, as Joe said those servers need to get the group membership into their access tokens. Ha! I saved a post which says how to do that without rebooting and it turns out it was from you!

Re: [NTSysADM] New GPO for DC being filtered out

Have you rebooted the DC so it picks up the group membership? I think you can check with Process Explorer in the details window of a process running as System to see the groups it believes itself to be a member of. On Jan 3, 2018 15:32, "Michael Leone" wrote: OK, I'm