Windows Server: what is the difference between Security Filtering (under the Scope tab) and the Delegation tab in Group Policy Management


I notice that anything I add to Security Filtering also appears under Delegation, so I’m not sure how or why they both exist, and if they are redundant or not?

Until now I had been exclusively using Security Filtering to determine whether a GPO gets applied and to which groups, but now there is a new patch to Windows Server which stops my GPOs from applying unless I add Domain Computers to Security Filtering… (GPOs fail to apply; reason: Inaccessible, Empty, or Disabled; Server 2012 R2 and Windows 10)

This seems very confusing to me, as I always thought that GPO rights would be read independently based on all my experience with Windows privileges. In other words, if I have Bob and Sue in Group A and Bob and Bill and Sarah in Group B, and I add Group A and Group B to a GPO with Read and Apply set, then I expect that the GPO will apply to Bob, Sue, Bill, and Sarah. (Effectively a logical OR operation: if a user is in Group A or Group B, apply the policy).

Therefore, if I add Group A and Domain Computers to the Security Filtering tab, I’d expect the GPO to apply to Bob and Sue, but also to every computer in the domain, effectively rendering Group A redundant, since every computer receiving the GPO will always be part of the domain.

However, the post by user Adwaenyth (GPOs fail to apply; reason: Inaccessible, Empty, or Disabled; Server 2012 R2 and Windows 10) seems to imply that Security Filtering is now operating via an AND kind of logic, where the target must be a member of all groups for the GPO to apply. In my example of Group A and Group B above, then, only Bob would apply the GPO, as he is the only one in both groups.

This whole mystery would be solved for me if I only needed to add Read rights, and not Apply rights, to Domain Computers. But then why do I need to add Domain Computers to Security Filtering where Apply rights are automatically granted? This all comes back again to the same question of what, effectively, is the difference between Security Filtering and Delegation? I’m aware that Delegation is also for granting users and limited admins the ability to edit, modify, or delete a GPO. But what if I use Delegation to manually give an entity Read and Apply rights? Is that the same as putting the entity in Security Filtering?

This question is also posed here: Does a GPO apply if "Security Filtering" tab is empty, but there is a security group in Delegation which has Read and Apply right?

Best Answer

If you use the delegation tab of a GPO and click advanced you can assign the Read and Apply permissions to a user or group. if you do this (and if the GPO is linked to the correct level) then the GPO will apply to that user or group. more than this if you do use the delegation tab and click advanced and assign the read and apply permissions to a user or group then that user or group will appear in the security filtering section of the GPO.

in reverse if you edit the security filtering section and add a user or group then that user or group will appear on the delegation tab and if you look at advanced you will see that the user or group has appeared there with the read and apply permissions.

So the security filtering and the delegation tab advanced are doing the same thing!

However using delegation tab you can assign additional permission for the GPO so you could assign permission to edit the gpo for example. in short the delegation tab is more powerful but if you just want the GPO to apply to a user or group you can use either the security filtering or the adv section of the delegation tab.