This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We have a group policy that is reporting the warning below. It concerns adding mainly domain groups into the local administrator group on applicable member servers using Group Policy Preferences. During group policy updates on our member servers, we see this warning. I'm concerned that there is a security risk as some member servers may not be processing this group policy correctly. One possible cause could be the large number of item level targeting entries this group policy has for populating the local admins group as mentioned. Currently we have 45 item level targeting entries. Is this too many ? What's the maximum number of item level targeting entries you can have ?
ProviderName: Group Policy Local Users and Groups
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
06/01/2021 11:59:22 4106 Warning The computer 'Administrators (built-in)' preference item in the 'Tier 1 - Server Platforms Admin and Restrictions {773F2424-D827-4311-9D3E-8A4787E4EDC9}' Group Policy Object did not apply because its
targeting item failed with error code '0x80070057 The parameter is incorrect.' This error was suppressed.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
Before going further, would you please confirm the following questions:
Based on my understanding ,only some of the servers not applied the policy ,and some of the servers applied successfully, right?
When you said "45 item level targeting entries." would you please tell more details , how did you configure level targeting entries?
When you run gpupdate /force , the error messages would show, right?
Best Regards,
Hi @Fan Fan . Thanks for replying. Focusing on the original question, is there an upper limit to the number of entries you can have in Group Policy Preferences ?
As for your questions:
Based on my understanding ,only some of the servers not applied the policy ,and some of the servers applied successfully, right?
No, I hadn't said that. To be honest, I can't determine to what extent servers are receiving the policy preference settings, but can confirm that at least some settings are being received by some servers. The error doesn't tell us exactly what settings aren't being applied, if any.
When you said "45 item level targeting entries." would you please tell more details , how did you configure level targeting entries?
Each item entry adds a domain security group to the local administrators group. For the most part, each entry will have an item level targeting entry with a condition that the server is in a given OU.
Item entry samples below. Sorry, but I've had to redact details.
When you run gpupdate /force , the error messages would show, right?
Correct, the aforementioned error is written to the Application Event Log with every group policy update.
Although I haven't got an answer to the question of max # of entries, I have fixed the group policy issue we've been having which has led to this question. I already knew from the original warning entry in the Application Event Log when the erroneous change to the group policy first occurred. With this date in hand I was trying to figure out which item level targeting entry in the Group Policy Preferences was erroneous and, since there were 45 of them, was having a hard time finding them. I noticed after exporting the GP report as an XML file that although the GP report doesn't show modification dates for each entry, the XML file does. This is how I pinpointed the erroneous item level targeting entry and found the configuration error.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 59%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESY%3C/text%3E%3C/svg%3E)
There is no limit just note that it will take time to process these entries in ILT and more entries mean more time to process. That'll lead to longer user login times too.
just out of curiosity... do you remember what was configured in that erroneous ILT entry?