Security filtering controls which users or computers are allowed to apply a linked GPO. A policy can be linked to the right OU and still not apply if the target principal does not have Read and Apply group policy permissions.
List GPO permissions
Get-GPPermission -Name "Misconfigured Policy" -All
Add a computer group to filtering
Set-GPPermission -Name "Misconfigured Policy" -TargetName "Domain Computers" -TargetType Group -PermissionLevel GpoApply
Add a specific computer
Set-GPPermission -Name "Misconfigured Policy" -TargetName "WS01$" -TargetType Computer -PermissionLevel GpoApply
Add a user group
Set-GPPermission -Name "Misconfigured Policy" -TargetName "Domain Users" -TargetType Group -PermissionLevel GpoApply
Remove a principal from filtering
Set-GPPermission -Name "Misconfigured Policy" -TargetName "Domain Users" -TargetType Group -PermissionLevel None
PowerView ACL review
Import-Module .\PowerView.ps1
$GpoDN = "CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=ootw,DC=local"
Get-DomainObjectAcl -Identity $GpoDN -ResolveGUIDs
Linux LDAP review
ldapsearch -LLL -x -H ldap://10.10.10.200 -D "ootw.local\\student" -w 'student' -b "CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=ootw,DC=local" nTSecurityDescriptor
Force target refresh
Invoke-GPUpdate -Computer ws01.ootw.local -Force -RandomDelayInMinutes 0
Validate from target
gpresult /r
gpresult /h C:\Windows\Temp\gpresult.html
Notes
Security filtering is evaluated after the GPO is linked. Link abuse and filtering abuse often appear together.
Removing Authenticated Users without preserving read permissions for computers can break policy application in confusing ways.