You use item-level targeting in a Group Policy Preferences (GPP) item on Windows 8.1 or Windows Server 2012 R2 computers. When you try to filter for Computer DNS Name, the result is not what you expect. Regardless of the value in the filter, a "True" value is always returned.
When this issue occurs, the Group Policy Object incorrectly gets applied to all computers on the organizational unit (OU).
Steps to reproduce this issue
- Create an Active Directory domain.
- Join a computer that is running Windows 8.1 and a computer that is running Windows 10 Version 1607 or a later version to the domain.
- Add the Windows 8.1 and Windows 10 computer accounts to a new OU.
- Link a new Group Policy policy to the OU.
- Define a Group Policy folder item, and then create the following folder:
- Define an item-level targeting, and match it with an existing DNS Computer name that belongs to another computer in the domain. For example, use the name, DC “DC1.contoso.com”.
- Refresh Group Policy for the computer.
- Problematic behavior: The test folder is created on the computer that is running Windows 8.1, although the filter should not match.
- Correct behavior: The test folder is not created on the computer that is runnning Windows 10 Version 1607 or a later version.
For diagnostics, you enable computer trace log for the GPP item. For example, see http://gpsearch.azurewebsites.net/#4913.
Group Policy Computer trace file for Windows 8.1
<Time stamp> [pid=0x3b4,tid=0x510] Starting class <Folder> - TEST1.
<Time stamp> [pid=0x3b4,tid=0x510] Starting filter [AND FilterComputer].
<Time stamp> [pid=0x3b4,tid=0x510] Adding child elements to RSOP.
<Time stamp> [pid=0x3b4,tid=0x510] Passed filter [FilterComputer].
<Time stamp> [pid=0x3b4,tid=0x510] Filters passed.
The implementation retrieves the IP addresses for the local computer name and the name in the GPP. The names are considered to match if they both use the same IP address.
To compare the IP address, the implementation accesses an incorrect memory location that always has the same data. Therefore, the names are always considered to match.
To fix this issue, upgrade the computers that is trying to apply DNS item-level targeting to Windows 10 Version 1607 or Windows Server 2016 Version 1607 or a later version of either.
Note This issue is fixed in the Version 1607 release of Windows 10 and Windows Server 2016. There is no fix for Windows 10 Version 1511.
To work around this issue, configure item-level targeting to filter for the COMPUTERNAME environment variable. Or, use NETBIOS name matching if it provides a sufficiently good match.
For more information about how to configure Group Policy to use the DNS method of computer name targeting for the suggested workaround, see the following topics: