{"id":456,"date":"2026-03-25T17:11:31","date_gmt":"2026-03-26T00:11:31","guid":{"rendered":"https:\/\/csispecialist.com\/?p=456"},"modified":"2026-03-25T17:11:36","modified_gmt":"2026-03-26T00:11:36","slug":"gpo-security-filtering-best-practices","status":"publish","type":"post","link":"https:\/\/csispecialist.com\/index.php\/2026\/03\/25\/gpo-security-filtering-best-practices\/","title":{"rendered":"GPO Security Filtering: Best Practices"},"content":{"rendered":"\n<p>By default, <em>Authenticated Users<\/em> is added to Security Filtering when creating a GPO, which applies it broadly to all users\/computers \u2014 acceptable for simple environments, but not ideal.<\/p>\n\n\n\n<p>The recommended approach is to target a specific group via Security Filtering. However, a common mistake is removing <em>Authenticated Users<\/em> entirely, which strips the built-in read privileges needed for the GPO to process correctly.<\/p>\n\n\n\n<p><strong>The correct method:<\/strong> Rather than removing <em>Authenticated Users<\/em> from the Scope tab, leave it in place and revoke only its <strong>Read<\/strong> permission via the Delegation tab:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Go to <strong>Delegation \u2192 Advanced<\/strong><\/li>\n\n\n\n<li>Under <em>Authenticated Users<\/em>, uncheck <strong>Read<\/strong><\/li>\n\n\n\n<li>Return to the <strong>Scope<\/strong> tab \u2014 <em>Authenticated Users<\/em> will no longer appear in Security Filtering<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>By default, Authenticated Users is added to Security Filtering when creating a GPO, which applies it broadly to all users\/computers &mdash; acceptable for simple environments, but not ideal. The recommended approach is to target a specific group via Security Filtering. However, a common mistake is removing Authenticated Users entirely, which strips the built-in read privileges &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/csispecialist.com\/index.php\/2026\/03\/25\/gpo-security-filtering-best-practices\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;GPO Security Filtering: Best Practices&#8221;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[76],"tags":[101,75],"class_list":["post-456","post","type-post","status-publish","format-standard","hentry","category-windows-active-directory","tag-active-directory","tag-gpo"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/csispecialist.com\/index.php\/wp-json\/wp\/v2\/posts\/456","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/csispecialist.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/csispecialist.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/csispecialist.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/csispecialist.com\/index.php\/wp-json\/wp\/v2\/comments?post=456"}],"version-history":[{"count":1,"href":"https:\/\/csispecialist.com\/index.php\/wp-json\/wp\/v2\/posts\/456\/revisions"}],"predecessor-version":[{"id":457,"href":"https:\/\/csispecialist.com\/index.php\/wp-json\/wp\/v2\/posts\/456\/revisions\/457"}],"wp:attachment":[{"href":"https:\/\/csispecialist.com\/index.php\/wp-json\/wp\/v2\/media?parent=456"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/csispecialist.com\/index.php\/wp-json\/wp\/v2\/categories?post=456"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/csispecialist.com\/index.php\/wp-json\/wp\/v2\/tags?post=456"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}