GPO not applied - with WMI


  • Hi there,

    I got a Windows SBS 2011 server with windows 7 clients and created a gpo for 1 particular pc.

    Windows 7 computer named "Computer02".
    Created a gpo containing registry settings under the user section of the GPO.
    Applied the GPO to the users OU
    Created a WMI filter containing the following and applied to the GPO:
    SELECT * FROM Win32_ComputerSystem WHERE Name LIKE '%COMPUTER02%'

    Removed the authenticated users from the security filter on the gpo and added the user who logs in to Computer02 to the security filtering ( so default read / execute ).

    GPresult on server in GPMC shows inaccessible.
    Then tried the following; removed the user and readded authenticated users and did another result, guess what.. it applied.

    No, I am not satisfied as this is against the entire model I learned so please tell me where it went wrong.

    Further investigation:
    I changed the permission of the user to full control on the delegation tab in the GPO and still it is not applying.

    I am suspecting that the GPO is not being loaded with the users privileges but with something else, like the network account or something like that.


    • Edited by dre2008 Sunday, January 31, 2016 9:48 AM Typo
    Saturday, January 30, 2016 1:31 PM

All replies

  • Windows 7 computer named "Computer02".

    SELECT * FROM Win32_ComputerSystem WHERE Name LIKE '%COMPUTER2%'

    "Computer02" is not a match for '%COMPUTER2%', because the % is in the wrong place

    Instead, try : SELECT * FROM Win32_ComputerSystem WHERE Name = 'COMPUTER02'


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Sunday, January 31, 2016 3:05 AM
  • Hello DonPick,

    Good eye, however it was a typo in my question ( I always change hostnames to something else ).
    I changed it accordingly so the question remains.


    Sunday, January 31, 2016 9:48 AM
  • > GPresult on server in GPMC shows inaccessible.
    GPMC also shows you user group memberships at the time of gpo
    processing. Everything correct here?
    Monday, February 1, 2016 10:52 AM
  • Yes, every thing is correct and everything has been setup correctly. Just when authenticated users are set in the scope the GPO works, else in accessible... I just don't get it. What am I missing here. It is plain, the correct user is added and the wmi is set to the computer. It is applied to the correct ou but only works if I add the authenticated users....


    Thursday, February 4, 2016 7:00 PM
  • So, you want to apply a user-based registry setting, to any user in the linked user-OU, but only if they are logging onto a specifically-named computer?

    Instead of WMI filtering, try Item Level Targeting.

    Or try Loopback.

    Authenticated Users, is composed of Domain Users + Domain Computers.
    It sounds like your WMI filter scenario will not succeed, due to the cross-context of user object vs computer object, in a WMI filter scenario.

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Proposed as answer by Jay GuModerator Monday, February 15, 2016 2:28 AM
    • Unproposed as answer by dre2008 Thursday, February 18, 2016 5:30 PM
    Thursday, February 4, 2016 8:33 PM
  • Hi DonPick,

    I think we are heading in the right direction here.
    Valid point about item level targeting and this will work.
    Loop back processing won't work in my scenario.

    Although you provide me with a great work around, I still don't understand why my policy does work with authenticated users and not with just the concerning user.

    I even added the computer in the security filtering just in case the computer also needed read and apply permisions for the gpo.

    So what does the authenticated users group include what the user itself and the computer it self doesn't?
    It must be something, but what?


    Friday, February 5, 2016 4:53 PM
  • Anyone also has the answer as of why this occurs?

    The work around is great but it is not the solution.

    thanks :)


    Thursday, February 18, 2016 5:31 PM
  • is this a single forest/single domain scenario?

    or are you using multi-domain or child-domain or trusts?

    (those add complexity into the situation ;)

    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Thursday, February 18, 2016 8:19 PM