Share via

Issue Applying the GPO to ONLY Computer group

Simone Oddi 0 Reputation points
2025-08-05T16:33:46.4366667+00:00

Good afternoon,

I am trying to deploy a group policy that will apply a background image to only a specific group of computers.

Insights:

My company has on-prem servers and Azure hosted servers that are domain joined. The users (about 90) they log in to their company issued computer and all the remote servers using their AD account.

I want to deploy a GPO that will apply a custom background image only to the Azure Servers without affecting nor the user's computers or the on-prem servers.

I created the GPO and in the scope of the GPO I added the security group containing all the Azure servers and removed the "Apply group policy" checkbox from the security filters for the Authenticated user group (I left the read permission).

After running gpupdate /force, I tried logging into the server in Azure using a user account and ran the gpresult /R. The new GPO policy shows but it says denied by security filtering.

I know that the settings to deploy a Desktop image are under the user configuration and I am wondering if that is the reason why I am not able to only target a computer group.

Testing: I decided to modify the GPO by applying the GPO also for the authenticated users. The background image was applied for the Azure servers. however, also the user's computers and the on-prem servers were targeted by the GPO.

How can I achieve the desired results?

Windows for business | Windows Server | Directory services | Deploy group policy objects
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Geoff McKenzie 950 Reputation points
    2025-08-06T02:04:00.1133333+00:00

    There are a couple of appraches I can think of off the top of my head (I do not have access to a suitable lab at the moment to confirm).

    1. When applying GPOs using security group filtering you need to ensure that the computer knows it has been added to the group - this may mean a reboot or using Klist purge to force ticket renewal for the system session (0x3e7 from memory but verify)
    2. As the setting is a user setting - you may need to enable loopback processing
      https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/loopback-processing-of-group-policy
    3. Apply the setting to the user BUT use a WMI filter to determine if the machine they are currently on is in Azure - If so then apply if not then do not apply - this may be the better option as you do not need to manage the group for Azure computers (adding and removing as you spin up and down VMs)

    Good luck

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.