I am trying to set the Internet Explorer homepage via user Group Policy Preferences (GPP) registry setting for a very specific group of users. I am using item-level targeting to accomplish this but am having trouble getting the logic working as expected.
Here is my item-level targeting filter:
-------
The user is a member of the security group CONTOSO\FireRescueDept
AND this collection is false
The user is a member of the security group CONTOSO\EmergencyManagementDept
OR the user is a member of the security group CONTOSO\PublicSafetyDivision
-------
The user in question is a member of both CONTOSO\FireRescueDept and CONTOSO\EmergencyManagementDept. I believe this means that this particular registry GPP setting should NOT apply to the user in question and that is the outcome I desire.
Here is how I'm thinking about it:
- The user is a member of CONTOSO\EmergencyManagementDept; therefore, "The user is a member of the security group CONTOSO\EmergencyManagementDept" evaluates to TRUE.
- Since the other item in the collection is connected with the boolean OR operator, the collection evaluates to TRUE regardless of the evaluation of "The user is a member of the security group CONTOSO\PublicSafetyDivision."
- The item-level targeting filter is looking for the collection to evaluate to FALSE. Since the collection has evaluated to TRUE, the evaluation "This collection is false" is FALSE.
- Because of the AND operator in front of "This collection is false", both "The user is a member of the security group CONTOSO\FireRescueDept" and "This collection is false" must evaluate to TRUE in order for the item-level targeting filter to determine that the user in question to apply the GPP setting the filter is attached to. However, since "This collection is false" has already evaluated to FALSE, the filter as a whole should evaluate to FALSE and this GPP setting should not apply.
However, according to gpresult it does apply.
Please advise. I want this particular setting to apply to users in the CONTOSO\FireRescueDept group unless they are a member of CONTOSO\EmergencyManagementDept and/or CONTOSO\PublicSafetyDivision.