Can't use "Computers" container in active directory as object for security filtering in GPO

I think you're confusing GPO security filtering and GPO hierarchical scope. The security filtering ACLs only deal with accounts and groups, never with containers. On the other hand, GPOs can be linked directly underneath any OU (though not underneath built-in containers) without the need for security filtering. Groups and containers are not the same thing.

So if you want a GPO to apply to all computers, you don't need to mess around with security filtering at all. The default GPO security filtering ACLs already allow the GPO to be applied to any user and any computer. (You probably removed those unnecessarily.)

(But if for some reason you want a GPO to be only reachable by machine accounts but not directly by users, then you can use the built-in Domain Computers group that all machine accounts are members of.)


And just like you already have organizational units for your users, you should do the same for your computers – don't simply dump them all under the "Computers" container... If the GPO must be applied to all PCs, just link it at the domain root, but if it must be applied to specific PCs only, move them to their respective OU and link the policy underneath that OU.