By default, Authenticated Users is added to Security Filtering when creating a GPO, which applies it broadly to all users/computers — acceptable for simple environments, but not ideal.
The recommended approach is to target a specific group via Security Filtering. However, a common mistake is removing Authenticated Users entirely, which strips the built-in read privileges needed for the GPO to process correctly.
The correct method: Rather than removing Authenticated Users from the Scope tab, leave it in place and revoke only its Read permission via the Delegation tab:
- Go to Delegation → Advanced
- Under Authenticated Users, uncheck Read
- Return to the Scope tab — Authenticated Users will no longer appear in Security Filtering
