🟑 Medium   ⏱ 5–30 min  Last verified: 01 April 2027
Affected versions: Windows Server 2016

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Hosts on Windows Server 2016 stop applying expected GPOs because security filtering, WMI filters, or item-level targeting deny them, leaving security baselines unenforced.

Environment & Reproduction

Seen after AD group cleanup, WMI filter syntax updates, or OU restructures.

gpresult /h C:Tempgp.html /f
Get-WinEvent -LogName 'Microsoft-Windows-GroupPolicy/Operational' -MaxEvents 30

Root Cause Analysis

Common causes include missing ‘Authenticated Users’ Read+Apply rights, broken WMI filters, or computer accounts not in target groups.

Quick Triage

Inspect denied policies in the report.

gpresult /r /scope:computer
Get-GPOReport -All -ReportType Xml -Path C:Tempall.xml
Get-WmiObject -Namespace rootrsopcomputer -List | Select Name

Step-by-Step Diagnosis

Validate WMI filter logic and ACLs on the GPO.

Get-GPPermissions -Name 'Baseline-Servers' -All
Get-WmiObject -Query 'SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "10.0.17763%"'
Get-ADComputer SRV01 -Properties MemberOf
Illustrative mockup for windows-server-2016 β€” terminal_or_powershell
gpresult security filtering output β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Restore Read for Authenticated Users and correct WMI filter.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

Set-GPPermissions -Name 'Baseline-Servers' -TargetName 'Authenticated Users' -TargetType Group -PermissionLevel GpoApply
gpupdate /target:computer /force
Illustrative mockup for windows-server-2016 β€” event_or_log_viewer
GroupPolicy operational log β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Replace WMI filter with security group targeting for clarity.

Set-GPPermissions -Name 'Baseline-Servers' -TargetName 'srv-baseline' -TargetType Group -PermissionLevel GpoApply
Add-ADGroupMember 'srv-baseline' SRV01$

Verification & Acceptance Criteria

gpresult shows the GPO applied to the host and operational log is clean.

gpresult /r /scope:computer
Get-WinEvent -LogName 'Microsoft-Windows-GroupPolicy/Operational' -MaxEvents 10

Rollback Plan

Restore prior filtering if downstream side effects appear.

Set-GPPermissions -Name 'Baseline-Servers' -TargetName 'srv-baseline' -TargetType Group -PermissionLevel None

Prevention & Hardening

Document filtering strategy, prefer security groups, and review applied GPOs after AD changes.

Get-GPOReport -All -ReportType Html -Path C:Tempgpo-inventory.html

Linked with LAPS deployment, AppLocker rule conflicts, and password policy enforcement.

Related tutorial: View the step-by-step tutorial for Windows Server 2016.

View all Windows Server 2016 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: GPO filtering, WMI filters, and Group Policy troubleshooting.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.