Just a quick one here folks, to let people know about a GP issue I heard about last week, that I’ve since learned was introduced as part of an August Windows update. The issue is as follows. In GP Preferences, there’s an option to filter application of individual preference settings based on security groups. This is a common use case. You have a GPP Drive Mapping that only maps the drive if the user is a member of the “Marketing” group, etc. The issue that was introduced essentially prevents you from setting an “Item-level target” for a user as a member of a group. Curiously the computer as a member of a group is still working. Here’s what it looks like in the GP Editor UI:
From this figure, what you see is that the “User in group” option is grayed out. This is the bug. Based on what I’ve seen, it’s definitely in Windows 11 and seemingly also in Windows Server 2022. Shortly after I posted on Twitter about it, I got a response referring me to this great article covering it: Windows August 2024 updates breaks new Item-Level Targeting in GPOs | Born’s Tech and Windows World (borncity.com)
As the blog post mentions near the end, my former Group Policy MVP “partner in crime” Mark Heitbrink has mentioned that this can be worked around by editing the underlying settings xml directly. I think this underscores the point that this bug is a UI bug only. It does not effect existing GPP settings that are using “user in group” targeting and it does not prevent setting this option using other means, as Mark has shown. I also verified that this can still be set using SDM Software’s Group Policy Automation Engine, further confirming that this is a UI bug.
So hopefully Microsoft gets off their collective you-know-whats and fixes this soon, but at least it doesn’t break existing functionality! Small wins…