Recently, I created a standardized signature in Microsoft Exchange 2013 for a new business group.

At the same time, I created a Microsoft group policy to prevent users from creating new or using an existing signature in Microsoft Outlook.

Since this should apply only to the new business group, I specified the same business group under Security Filtering within this group policy.

For some reason, however, this group policy did not apply even after running gpudate/force on and even rebooting user’s workstation. Upon running gpresult /h c:\result.html, I noticed that the group policy name was shown as a GUID, and it was denied due to Inaccessible.

As a result, users could still access the signature field when composing a new email in Microsoft Outlook.

Upon further research, it turns out this was due to security update MS16-072.

I then followed the suggestion and resolved this issue by adding Domain Computers with only Read permission to Delegation of this group policy.

You can further verify this permission by clicking Advanced… on the bottom of the same screen.

After another round of running gpudate/force and rebooting user’s workstation, I ran gpresult /h c:\result.html again. This time the group policy applied properly. Also, it is showing the correct name for this group policy.

Finally, I launched Microsoft Outlook and confirmed I could no longer create new or use the existing signature as the field is now absent altogether.

I hope you find this post helpful.