I recently ran across a bug in Group Policy Preferences around the use of Item-Level Targeting with the Computer NetBIOS name. I scoured the Internet and found no other references to the bug, so I decided that I would post something here.
To replicate the bug, some very specific steps have to be taken, which is one of the reasons that there isn't much reference to it online. It occurs when you use the Computer NetBIOS name target, and you have a multi-character wildcard (*), followed by some text, and then a single-character wildcard (?). Even more specifically, the issue only seems to occur if the text between the wildcards is less than half of the length of the applying computer's name. If that is the case, the computer fails to apply the preference.
I know that description is a little tough to follow, so let's look at this way...
The filter has to have two wildcards, first a multi-character (*) and then a single-character (?). We'll call the number of characters between the two N. So if your filter is *abc123?, N would be equal to 6. We'll call the length of the computer name C. So if your computer name is myabc1234, C would be equal to 9. Anytime that C/2 > N, the filter fails and the preference does not apply.
For example:
Your filter is *serv? (N=4)
Your computer is financeserv1 (C=12)
Using C/2 > N, we get 6 > 4, which is true so the filter would fail and the preference would not apply.
Microsoft acknowledges that this is a bug, but since it is pretty targeted and there are several workarounds, we are not likely to see a patch for it anytime soon. Most likely they will try to resolve the issue in Windows 8 RTM (a bug report has been filed), and then backrev it to Windows 7.
So what are the workarounds? Of course the most straightforward is to change the target string so that this bug doesn't apply by changing wildcard types (eg. two multi-character wildcards) or so that N is a long enough string that C/2 > N would not ever be true. Assuming that you can't change the filter, the next simplest fix is to switch the Computer Name target from the default of NetBIOS to DNS, where the issue does not seem to occur. You could also use a WMI query target, where the wildcards would work properly (though WMI queries take longer to execute and may slow Group Policy processing some).
Thanks very much for this article. I needed to do this and your article saved me lots of troubleshooting with your provided workaround!
ReplyDeleteThanks very much for this article. I needed to do this and your article saved me lots of troubleshooting with your provided workaround!
ReplyDelete