I'm trying to set a desktop wallpaper for specific computers using Group Policy Objects (GPO). The wallpaper setting is found under User Configuration, not Computer Configuration. I've already set up a few things:
- The computers that should get the GPO are in a Universal Security group.
- I've created a GPO for the desktop setting (including the wallpaper image path) and linked it to the applicable hosts.
- Loopback is enabled in Merge mode.
- I've filtered security on the GPO to just that specific security group and removed Authenticated Users, but then added them back with 'Read' rights in Delegation.
- I confirmed that the computers can access the wallpaper image file at the specified location.
When I check with GPresult as a regular user, it shows the GPO but it's denied due to security issues. However, when I check as an elevated user with a computer scope, it lists the GPO as applied even though it's not taking effect. What might I be overlooking? I'm wondering if the issue is related to applying the User config based on the security group for the computer object, despite using loopback. I've read that Authenticated Users need to retain read permissions, and I ensured that they do, so I'm stuck here.
3 Answers
It sounds like you're on the right track, but I think you might be overcomplicating things! If you link the GPO directly to the OU with the user accounts, and set security filtering for Authenticated Users, it should apply without a hitch. Alternatively, you could add the wallpaper settings to an existing GPO that’s already successfully applied, like the default domain policy. That could simplify things for you!
Adding on, have you double-checked the permissions for the wallpaper file itself? Sometimes it’s not just about the GPOs but also making sure the file can actually be accessed by the users and computers you’re targeting.
I tried using a WMI filter instead and it worked out for me. I'm not sure why the security group filtering wasn't effective, though. Could be a permission issue with how the groups are set up. If you take a good look at those settings, we might find the culprit!
The concern is that the affected systems are mixed in multiple OUs, which complicates direct linking. I understand why you might hesitate to move them all into one OU due to other important GPOs affecting them. It’s definitely a tricky situation!