Select Page

I was playing around with some scenarios related to "item-level targeting" (ILT) in Group Policy Preferences and was reminded of a significant limitation in this newer as it relates to Resultant Set of Policy reporting. What I was doing was creating a GPO that contains some GP Preferences registry settings, and then using item-level targeting to control which machine groups got those registry settings. However, when I went into GPMC and ran a GP Results (RSoP) report against one of my test machine, it showed my test GPO in the "Applied GPOs" section of the report, even though I knew that it had not passed the item-level target filter.

This pecularity caused me to dredge up a distant memory about a limitation in the way GP Preferences interacts with RSoP–namely, RSoP is incapable of deciphering whether a machine has passed an item-level target. So, even though the registry setting was blocked from being processed by the machine because it was not in the correct group, RSoP saw no reason why the GPO should not apply, since it was linked and security group filtered (using normal security group filtering) in a way that told it that everything was good.

This could very easily bite you as you leverage GPP more, so I thought it would be useful to re-iterate it here for everyone’s benefit. In short, if you use ILT to control which policy settings apply to a computer or user, RSoP will not reflect whether the ILT filter passed or failed. It will only reflect the "normal" means of filtering through linking, security group filtering and WMI filters.