{"id":456,"date":"2026-03-25T17:11:31","date_gmt":"2026-03-26T00:11:31","guid":{"rendered":"https:\/\/csispecialist.com\/?p=456"},"modified":"2026-03-25T17:11:36","modified_gmt":"2026-03-26T00:11:36","slug":"gpo-security-filtering-best-practices","status":"publish","type":"post","link":"https:\/\/csispecialist.com\/index.php\/2026\/03\/25\/gpo-security-filtering-best-practices\/","title":{"rendered":"GPO Security Filtering: Best Practices"},"content":{"rendered":"\n

By default, Authenticated Users<\/em> is added to Security Filtering when creating a GPO, which applies it broadly to all users\/computers \u2014 acceptable for simple environments, but not ideal.<\/p>\n\n\n\n

The recommended approach is to target a specific group via Security Filtering. However, a common mistake is removing Authenticated Users<\/em> entirely, which strips the built-in read privileges needed for the GPO to process correctly.<\/p>\n\n\n\n

The correct method:<\/strong> Rather than removing Authenticated Users<\/em> from the Scope tab, leave it in place and revoke only its Read<\/strong> permission via the Delegation tab:<\/p>\n\n\n\n

    \n
  1. Go to Delegation \u2192 Advanced<\/strong><\/li>\n\n\n\n
  2. Under Authenticated Users<\/em>, uncheck Read<\/strong><\/li>\n\n\n\n
  3. Return to the Scope<\/strong> tab \u2014 Authenticated Users<\/em> will no longer appear in Security Filtering<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"

    By default, Authenticated Users is added to Security Filtering when creating a GPO, which applies it broadly to all users\/computers — acceptable for simple environments, but not ideal. The recommended approach is to target a specific group via Security Filtering. However, a common mistake is removing Authenticated Users entirely, which strips the built-in read privileges … <\/p>\n

    Continue reading “GPO Security Filtering: Best Practices”<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[76],"tags":[101,75],"class_list":["post-456","post","type-post","status-publish","format-standard","hentry","category-windows-active-directory","tag-active-directory","tag-gpo"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t