GetGPOList function obtains list based only on Authenticated Users RRS feed

  • Question

  • I'm currently fixing a service that calls GetGPOList in order to get a list of GPOs that are applied to a computer (not a user).  The service is run upon booting of the computer so there isn't a User logged in.  The service runs on both Windows XP and Windows 7 computers.  There was a hotfix (http://support.microsoft.com/kb/2553771) that, when applied to the Windows 7 computers, allows GetGPOList to function the way that we need it to (i.e. It looks at all the allows and denies that are applied to a particular GPO and not just the ones set by Authenticated User).  However, this hotfix does not apply to Windows XP.  I am currently looking for a way to fix this.

    For a more detailed explanation of what is happening:

    Suppose we have a GPO, the Authenticated Users group ("AU"), another security group (call is "GroupB" for now) which contains the computer ("C"), and the computer ("C").  There are two senarios in which GetGPOList is failing.  Assume "Allow Read" is checked for everything.

    Scenario 1: AU has "Allow Apply Group Policy" checked, but either GroupB or C has "Deny Apply Group Policy" checked.  GetGPOList stsill returns the GPO, but it shouldn't.

    Scenario 2: AU has neither Allow nor Deny is checked for "Apply Group Policy", however, either GroupB or C has "Allow Apply Group Policy" checked.  GetGPOList does not return the GPO, when it is supposed to.

    Any idea or possibly a fix?  Thanks!

    Tuesday, August 7, 2012 3:37 PM