Windows Active Directory - CSI Specialist

By default, Authenticated Users is added to Security Filtering when creating a GPO, which applies it broadly to all users/computers — acceptable for simple environments, but not ideal.

The recommended approach is to target a specific group via Security Filtering. However, a common mistake is removing Authenticated Users entirely, which strips the built-in read privileges needed for the GPO to process correctly.

The correct method: Rather than removing Authenticated Users from the Scope tab, leave it in place and revoke only its Read permission via the Delegation tab:

Go to Delegation → Advanced
Under Authenticated Users, uncheck Read
Return to the Scope tab — Authenticated Users will no longer appear in Security Filtering

The simplest method to using a custom user group is to remove the “Authenticated Users” group and add the custom user group created. This is what everyone says including Microsoft. The problem is that now the GPO does not apply anywhere. There are a lot of things attached to “Authenticated Users” like computers and special permissions that you lose when you remove it entirely. So if you keep it there and just remove the apply privilege the custom groups will work correctly without needing to figure out what needs to be added.

The simple method is to not remove but modify the “Authenticated Users group. Go ahead and add the custom user group either before or after this modification.

Go to the Delegation tab and hit Advanced. Then select “Authenticated Users” and remove the check from “Apply group policy” and apply. After doing this you can go back to Scope and “Authenticated Users” will not be there. The group policy is now ready for use.

Category: Windows Active Directory

GPO Security Filtering: Best Practices

GPO does not apply when using custom user groups

Contact us