LKBEN11385: Windows 2003 GPO cannot be disabled for Domain-Admins


GPO is applied to Domain-Admins although configured with "no access"


Computer account is member of "Authenticated Users"


If a GPO will be applied/not applied through security filtering, although the opposite was expected, check membership of computer- and user accounts with "Active Directory users and computers" Snap-in.

In order to limit a GPO with security filtering, make sure to remove "Athenticated Users" Group - otherwise the users-portion will be applied to all users in any case.

The reason for this behavior lies in the computer account, which also belongs to the "Authenticated Users" Group.

In order to apply a group policy to certain computers, define an Active Directory security group, make the computer account(s) a member and assign this group to the security filtering in the scope tab of the group policy management console (gpmc).


The information provided in this document is intended for your information only. Lubby makes no claims to the validity of this information. Use of this information is at own risk!

About the Author

Author: Wim Peeters - Keskon GmbH & Co. KG

Wim Peeters is electronics engineer with an additional master in IT and over 30 years of experience, including time spent in support, development, consulting, training and database administration. Wim has worked with SQL Server since version 6.5. He has developed in C/C++, Java and C# on Windows and Linux. He writes knowledge base articles to solve IT problems and publishes them on the Lubby Knowledge Platform.