5 Common Issues with Group Policy Preferences

Published on
12,860 Points
4 Endorsements
Last Modified:
Are your Group Policy Preferences not applying? Most of the time, these issues will come down to a handful of items and misconfigurations. As awesome as they may be, Group Policy Preferences (GPPs) gave us a whole new set of challenges and a few new ways to troubleshoot. Let's go through the top ways to troubleshoot preferences (and learn a few performance tricks on the way)!

1. Preference Can't Process

If the GPO containing the preference isn't applying to the computer/user, then the preference can't process. If you are starting with a new GPO (or changing the scope), you still have to ensure that the GPO is linked and filtered correctly. WMI, which allows conditional processing, tends to be a culprit as well. Any WMI filter will still have to evaluate to true for the object that is processing the GPO. This applies even if you are using Item Level Targeting. You can easily test your WMI filters by using the WMI Filter Validation Utility on GPOGuy.com

2. User or Computer Preference

A common mistake in Group Policy is applying computer node settings to users and user node settings to computers (without loopback). Preferences are a bit more flexible on this as everything in the computer node (but Shares and Services) exist on the user node . Just keep in mind that if you are going to configure Internet Options, set a default Printer, or edit the Start Menu, the GPO will need to be linked to a user OU or a computer OU with Loopback enabled.

3. Item Level Targeting (ILT)

I absolutely love me some ILTs - almost as much as BLTs! ILTs allow you to take the conditional power of WMI and granularly apply statements to individual preference items. ILTs do bring some complexity though as you have an entirely new filter level to evaluate. The two big issues that I faced were with the OR statements and the IS NOT statements. Here is an example:

ILT Example 1
In the picture above every machine will get this preference if the OS is Windows 8 or the computer is in one of the two listed OUs. Machines running Windows 8 that aren't a member of those two OUs will still have this preference applied to them! To get around this, you can use the blue up/down arrows to reorder the items. By pushing the OS item down, the OS target becomes an ADD statement:

ILT Example 2
You could also create a collection and nest both OU items within it:

ILT Example 3
4. OU Path Changes

In our example above, we are using OUs in our ILTs instead of Security Groups. Filtering by OU is a heck of a lot faster than filtering by groups. OUs have one downside though - if you change the OU name or move the OU, the ILT breaks. It will not automatically update itself with the new name/location.

As a note, you can rename Groups without breaking an ILT as they are linked by unique SIDs.

5. CRUD!

Choosing the right method (Create/Replace/Update/Delete) will ensure your preference applies and carries your configuration. Let's say you are currently deploying network printers with Preferences. Because you love efficiency, your printers are set to Create. You get a request to enable Duplexing on a Printer. You do so but the duplex setting is never copied to the clients.

For your clients to reapply the setting, you will need to change your setting from Create to Update or Replace. This same problem applies to other Preference extensions, most notably: Power Options and Scheduled Tasks.

6. F5-F8

Certain Preferences, like the Start Menu or Internet Explorer Settings, mimic the GUI menus from the actual OS. While it makes configuring the preference easier, it does add one potential problem. Not every item in the preference is enabled by default.

In the picture above, notice how certain settings within the Internet Explorer preference have red or green lines under them. Any preference with a red line will be disabled within the preference. Preferences with a green line are enabled.

If I wanted to enable the HomePage setting, I could enable it by pressing F5. This would enable every setting on this tab. If I selected the HomePage setting first, I could solely enable it by pressing F6.

Those are the top problems that I've faced with Preferences! What issue have you seen? Let me know and I will expand this list!

This article first appeared on my blog, DeployHappiness.com

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Join & Write a Comment

This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month