question

PaulAnderson-2864 avatar image
0 Votes"
PaulAnderson-2864 asked SalYounis-9984 commented

Is There a Limit to the Number of Item Level Targeting Entries You Can Have in Group Policy Preferences ?

We have a group policy that is reporting the warning below. It concerns adding mainly domain groups into the local administrator group on applicable member servers using Group Policy Preferences. During group policy updates on our member servers, we see this warning. I'm concerned that there is a security risk as some member servers may not be processing this group policy correctly. One possible cause could be the large number of item level targeting entries this group policy has for populating the local admins group as mentioned. Currently we have 45 item level targeting entries. Is this too many ? What's the maximum number of item level targeting entries you can have ?

    ProviderName: Group Policy Local Users and Groups
 TimeCreated                     Id LevelDisplayName Message
 -----------                     -- ---------------- -------
 06/01/2021 11:59:22           4106 Warning          The computer 'Administrators (built-in)' preference item in the 'Tier 1 - Server Platforms Admin and Restrictions {773F2424-D827-4311-9D3E-8A4787E4EDC9}' Group Policy Object did not apply because its
                                                     targeting item failed with error code '0x80070057 The parameter is incorrect.' This error was suppressed.


53970-image.png


windows-active-directorywindows-group-policy
image.png (54.9 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
Before going further, would you please confirm the following questions:
Based on my understanding ,only some of the servers not applied the policy ,and some of the servers applied successfully, right?
When you said "45 item level targeting entries." would you please tell more details , how did you configure level targeting entries?
When you run gpupdate /force , the error messages would show, right?
Best Regards,

0 Votes 0 ·

Hi @FanFan-MSFT . Thanks for replying. Focusing on the original question, is there an upper limit to the number of entries you can have in Group Policy Preferences ?

As for your questions:

Based on my understanding ,only some of the servers not applied the policy ,and some of the servers applied successfully, right?

No, I hadn't said that. To be honest, I can't determine to what extent servers are receiving the policy preference settings, but can confirm that at least some settings are being received by some servers. The error doesn't tell us exactly what settings aren't being applied, if any.

When you said "45 item level targeting entries." would you please tell more details , how did you configure level targeting entries?

Each item entry adds a domain security group to the local administrators group. For the most part, each entry will have an item level targeting entry with a condition that the server is in a given OU.

0 Votes 0 ·

Item entry samples below. Sorry, but I've had to redact details.

54435-image.png
54436-image.png

When you run gpupdate /force , the error messages would show, right?

Correct, the aforementioned error is written to the Application Event Log with every group policy update.


0 Votes 0 ·
image.png (120.5 KiB)
image.png (43.8 KiB)

1 Answer

PaulAnderson-2864 avatar image
0 Votes"
PaulAnderson-2864 answered SalYounis-9984 commented

Although I haven't got an answer to the question of max # of entries, I have fixed the group policy issue we've been having which has led to this question. I already knew from the original warning entry in the Application Event Log when the erroneous change to the group policy first occurred. With this date in hand I was trying to figure out which item level targeting entry in the Group Policy Preferences was erroneous and, since there were 45 of them, was having a hard time finding them. I noticed after exporting the GP report as an XML file that although the GP report doesn't show modification dates for each entry, the XML file does. This is how I pinpointed the erroneous item level targeting entry and found the configuration error.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

There is no limit just note that it will take time to process these entries in ILT and more entries mean more time to process. That'll lead to longer user login times too.
just out of curiosity... do you remember what was configured in that erroneous ILT entry?

0 Votes 0 ·