How to Configure Windows Server 2016 Group Policy Security Filtering

Group Policy Security Filtering lets you control precisely which users and computers receive the settings in a GPO, without needing separate OUs for each subset. By modifying the Access Control List (ACL) of a GPO, you can grant or deny the Apply Group Policy permission to specific security principals, creating fine-grained targeting that works alongside OUs and WMI filters. Windows Server 2016 provides the full toolset to manage security filtering through the GUI, PowerShell, and GPMC.

How Security Filtering Works

Every GPO has a security descriptor with a DACL. For a GPO to apply to an object, that object (or a group it belongs to) must have both Read and Apply Group Policy permissions. By default, the Authenticated Users group has both permissions, meaning every authenticated user and computer in the scope receives the GPO. Removing Authenticated Users and replacing it with a specific group limits the GPO to that group only.

Important: When you remove Authenticated Users from the security filter for a user-side GPO, computer accounts will no longer have Read permission, which can interfere with Group Policy processing for loopback and computer-side settings. Best practice is to add the Domain Computers group with only Read (not Apply Group Policy) permission so that computer accounts can still read the GPO metadata.

Configuring Security Filtering in GPMC

In the Group Policy Management Console, click on a GPO in the left pane. In the right pane, select the Scope tab. The Security Filtering section shows the current principals. To restrict the GPO:

1. Remove Authenticated Users by selecting it and clicking Remove.
2. Click Add and enter the name of the target security group (e.g., Sales-Laptops).
3. Click OK.
4. Click the Delegation tab, then Advanced, and add Domain Computers with Read-only permission.

Configuring Security Filtering with PowerShell

Remove the default Authenticated Users permission:

Set-GPPermission -Name "Sales Laptop Policy" -TargetName "Authenticated Users" `
    -TargetType Group -PermissionLevel None

Grant Apply Group Policy to the target group:

Set-GPPermission -Name "Sales Laptop Policy" -TargetName "Sales-Laptops" `
    -TargetType Group -PermissionLevel GpoApply

Grant Read-only to Domain Computers (so machine-side processing works):

Set-GPPermission -Name "Sales Laptop Policy" -TargetName "Domain Computers" `
    -TargetType Group -PermissionLevel GpoRead

Verify the current permissions:

Get-GPPermission -Name "Sales Laptop Policy" -All |
    Select-Object Trustee, Permission | Format-Table -AutoSize

Deny Filtering

You can explicitly deny a GPO from applying to a specific group even if the group is within the scope. This is useful for excluding administrator accounts from desktop lockdown policies:

Set-GPPermission -Name "Desktop Lockdown" -TargetName "Domain Admins" `
    -TargetType Group -PermissionLevel GpoDenyApply

Use Deny sparingly. It overrides Allow permissions and can create confusing policy behaviour if not documented properly.

Auditing GPO Permission Changes

Enable auditing of changes to Group Policy so that any modification to security filters is recorded in the Security event log. Run the following on the PDC emulator:

auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable

GPO ACL changes appear as Event ID 5136 (directory service object modification) in the Security log. Query them:

Get-WinEvent -ComputerName PDC01 -FilterHashtable @{LogName='Security';Id=5136} |
    Where-Object {$_.Message -like "*PolicyDefinitions*" -or $_.Message -like "*GroupPolicy*"} |
    Select-Object TimeCreated, Message | Select-Object -First 10

Bulk Reporting of Security Filters Across All GPOs

To audit which groups have Apply Group Policy permission across every GPO in the domain:

Get-GPO -All | ForEach-Object {
    $gpo = $_
    Get-GPPermission -Guid $gpo.Id -All |
        Where-Object {$_.Permission -eq "GpoApply"} |
        Select-Object @{N="GPO";E={$gpo.DisplayName}},
                      @{N="Trustee";E={$_.Trustee.Name}},
                      Permission
} | Format-Table -AutoSize

This report quickly identifies GPOs that still apply to all Authenticated Users versus those that have been scoped to specific groups, supporting both security reviews and documentation requirements.