Group Policy Preferences Not Applying? Most of the time, our issues will come down to a handful of items and misconfigurations. As awesome as they may be, Group Policy Preferences (GPPs) gave us a whole new set of challenges and a few new ways to troubleshoot. Let’s go through the top ways to troubleshoot preferences (and learn a few performance tricks on the way)!
1. Preference Can’t Process
If the GPO containing the preference isn’t applying to the computer/user, then the preference can’t process. If you are starting with a new GPO (or changing the scope), you still have to ensure that the GPO is linked and filtered correctly. WMI, which allows conditional processing, tends to be a culprit as well. Any WMI filter will still have to evaluate to true for the object that is processing the GPO. This applies even if you are using Item Level Targeting. You can easily test your WMI filters by using the WMI Filter Validation Utility on the Tool Page.
2. User or Computer Preference
A common mistake in Group Policy is applying computer node settings to users and user node settings to computers (without loopback). Preferences are a bit more flexible on this. Everything in the computer node but Shares and Services exist on the user node . Just keep in mind that if you are going to configure Internet Options, set a default Printer, or edit the Start Menu, the GPO will need to be linked to a user OU or a computer OU with Loopback enabled.
3. Item Level Targeting (ILT)
I absolutely love me some ILTs – almost as much as BLTs! ILTs allow you to take the conditional power of WMI and granularly apply statements to individual preference items. ILTs do bring some complexity though as you have an entirely new filter level to evaluate. The two big issues that I faced were with the OR statements and the IS NOT statements. Here is an example:
In the picture above every machine will get this preference if the OS is Windows 8 or the computer is in one of the two listed OUs. Machines running Windows 8 that aren’t a member of those two OUs will still have this preference applied to them! To get around this, you can use the blue up/down arrows to reorder the items. By pushing the OS item down, the OS target becomes an ADD statement:
You can also create a collection and nest both OU items within it:
4. OU Path Changes
In our example above, we are using OUs in our ILTs instead of Security Groups. Filtering by OU is a heck of a lot faster than filtering by groups. OUs have one downside though – if you change the OU name or move the OU, the ILT breaks. It will not automatically update itself with the new name/location.
As a note, you can rename Groups without breaking an ILT as they are linked by unique SIDs.
Choosing the right method (Create/Replace/Update/Delete) will ensure your preference applies and carries your configuration. Let’s say you are currently deploying network printers with Preferences. Because you love efficiency, your printers are set to Create. You get a request to enable Duplexing on a Printer. You do so but the duplex setting is never copied to the clients.
For your clients to reapply the setting, you will need to change your setting from Create to Update or Replace. This same problem applies to other Preference extensions, most notably: Power Options and Scheduled Tasks.
Those are the top problems that I’ve faced with Preferences! What issue have you seen? Let me know and I will expand this list! If you haven’t already, consider enabling Group Policy logging for certain Preferences. When logging (and event forwarding) are enabled, you will receive notifications when marked preferences fail. This allows you to know when a printer deployment errors out, a drive mapping no longer works, etc. Here is a guide on setting this feature up.