I have a root domain (root.local) with a child domain (child.root.local).
I have a Group Policy Object in the root domain, e.g. GPO_root
In the child domain I have a computer, computer_child. Is is located in the child domain in the OU child.root.local/OU_child_computers.
In the root domain I also have a group of the type Security / Domain Local, named computer_group_root, which contains computer_child as a member.
Now I have linked GPO_root to child.root.local/OU_child_computers
I have also edited the Delegation /Permissions of GPO_root, removing the permission "Apply" for "Authenticated users" and adding it for "computer_group_root".
However, this does not seem to work. If I run gpresult /scope computer /r on computer_child, I see:
The following GPOs were not applied because they were filtered out
GPO_root
Filtering: Denied (Security)
So GPO_root does not get applied.
If I edit the permissions of GPO_root and directly give the computer account computer_child the "Apply" permission, it works. But if I just use computer_group_root it doesn't.
(By the way, this works without problems if all the objects are in the same domain.)
- Why doesn't it work?
- Can I get it to work using a group?
- How?
(the real-world scenario is of course a little more complex, with multiple computers and child domains. I want to avoid having to add permissions for all computers directly, also having to remember this every time a new computer is added. So I'd like to use a group.)
