Windows Server: what is the difference between Security Filtering (under the Scope tab) and the Delegation tab in Group Policy Management?
If you use the delegation tab of a GPO and click advanced you can assign the Read and Apply permissions to a user or group. if you do this (and if the GPO is linked to the correct level) then the GPO will apply to that user or group. more than this if you do use the delegation tab and click advanced and assign the read and apply permissions to a user or group then that user or group will appear in the security filtering section of the GPO.
in reverse if you edit the security filtering section and add a user or group then that user or group will appear on the delegation tab and if you look at advanced you will see that the user or group has appeared there with the read and apply permissions.
So the security filtering and the delegation tab advanced are doing the same thing!
However using delegation tab you can assign additional permission for the GPO so you could assign permission to edit the gpo for example. in short the delegation tab is more powerful but if you just want the GPO to apply to a user or group you can use either the security filtering or the adv section of the delegation tab.
Related videos on Youtube
Daniel
Updated on September 18, 2022Comments
-
Daniel over 1 year
I notice that anything I add to
Security Filtering
also appears underDelegation
, so I’m not sure how or why they both exist, and if they are redundant or not?Until now I had been exclusively using
Security Filtering
to determine whether a GPO gets applied and to which groups, but now there is a new patch to Windows Server which stops my GPOs from applying unless I addDomain Computers
toSecurity Filtering
... (GPOs fail to apply; reason: Inaccessible, Empty, or Disabled; Server 2012 R2 and Windows 10)This seems very confusing to me, as I always thought that GPO rights would be read independently based on all my experience with Windows privileges. In other words, if I have
Bob
andSue
inGroup A
andBob
andBill
andSarah
inGroup B
, and I addGroup A
andGroup B
to a GPO withRead
andApply
set, then I expect that the GPO will apply toBob
,Sue
,Bill
, andSarah
. (Effectively a logicalOR
operation: if a user is inGroup A
orGroup B
, apply the policy).Therefore, if I add
Group A
andDomain Computers
to theSecurity Filtering
tab, I’d expect the GPO to apply toBob
andSue
, but also to every computer in the domain, effectively renderingGroup A
redundant, since every computer receiving the GPO will always be part of the domain.However, the post by user Adwaenyth (GPOs fail to apply; reason: Inaccessible, Empty, or Disabled; Server 2012 R2 and Windows 10) seems to imply that
Security Filtering
is now operating via anAND
kind of logic, where the target must be a member of all groups for the GPO to apply. In my example ofGroup A
andGroup B
above, then, onlyBob
would apply the GPO, as he is the only one in both groups.This whole mystery would be solved for me if I only needed to add
Read
rights, and notApply
rights, toDomain Computers
. But then why do I need to addDomain Computers
toSecurity Filtering
whereApply
rights are automatically granted? This all comes back again to the same question of what, effectively, is the difference betweenSecurity Filtering
andDelegation
? I’m aware thatDelegation
is also for granting users and limited admins the ability to edit, modify, or delete a GPO. But what if I useDelegation
to manually give an entityRead
andApply
rights? Is that the same as putting the entity inSecurity Filtering
?This question is also posed here: Does a GPO apply if "Security Filtering" tab is empty, but there is a security group in Delegation which has Read and Apply right?
-
Daniel almost 8 yearsSo the
Security Filtering
section is basically just a shortcut. TheDelegation
tab has all the same functionality and more. Thanks!