GPO isn't applying: Access Denied (Security Filtering)
Probably solved by now. Answering to add options. Most likely cause of this is an explicit deny. Either in the GPO's delegation, per @user221530's answer, or in a user or group.
Confirm the scope. See if the user who can't apply GPO has the same problem on multiple machines. Confirm that this is the only user who can't apply the GPO. Write a PowerShell script to simulate GPO RSOP on an affected machine while looping through all the users in all the groups that the affected users are in. If you find a group where all the users in the group have the problem, then you've found where the explicit deny is.
When troubleshooting GPOs, be sure to use the PowerShell cmdlet Get-GpResultantSetOfPolicy
command and send it to an html file. Be sure to run it against the users who cannot apply the GPO and again against the machines affected. The results are searchable. And the listing includes not just the winning GPO, but the list of ones that did not win for each setting. It may give more information than just GPO Access Denied (Security Filtering)
.
In this case
- Check the GPO for delegation permissions
- Check whether the Group Policy being denied is a domain GPO or a local group policy
- Check the users objects in AD for explicit denies
- Look for group membership and a group that might have an explicit deny
- Perhaps reset the permissions on the users' objects inside AD.
If all else fails, back up the user's data, note the memberships and delete and recreate the account.