GPO Wallpaper - VBychkov-boop/Spring-SYS265-Final-Project GitHub Wiki

Step 1 — Check Where Your Computers and Users Live

Before touching Group Policy, open Active Directory Users and Computers and confirm two things:

1. Your target computers (W1, W2, MGMT1) are inside an OU — not the default Computers container
2. The user accounts that log into those machines are also inside an OU — not the default Users container

⚠️ This is the most common reason GPOs don't apply. The default Computers and Users containers are not OUs — Group Policy cannot be linked to them. If your accounts or computers are sitting there, you need to create an OU and move them first.

---

Step 2 — Create an OU (if needed)

If your computers or users aren't already in an OU, create one.

1. Open Server Manager → Tools → Active Directory Users and Computers
2. Right-click your domain name in the left tree → New → Organizational Unit
3. Name it something like Corporate PCs or W1-Users → click OK
4. Find the computer or user accounts in the Computers or Users container
5. Right-click each one → Move → select your new OU → OK If W1/W2 and MGMT1 are in different OUs that you can't change, that's fine — you'll just link the GPO to both OUs in Step 5.

---

Step 3 — Verify the Share Permissions on the Wallpaper

The machines need to be able to read the wallpaper file over the network, otherwise the policy will apply but the image will never load.

On DFS01-B1:

1. Right-click the Shared folder → Properties → Sharing tab → Advanced Sharing → Permissions
2. Make sure Domain Computers or Authenticated Users has at least Read access
3. Also go to the Security tab (NTFS permissions) and confirm Read & Execute is allowed for the same group

---

Step 4 — Create the GPO

1. Open Server Manager → Tools → Group Policy Management
2. Expand Forest → Domains → YourDomain.com
3. Right-click Group Policy Objects → New
4. Name it Corporate Wallpaper → click OK
5. Right-click the new GPO → Edit Inside the Group Policy Management Editor, navigate to:

User Configuration
  └── Policies
        └── Administrative Templates
              └── Desktop
                    └── Desktop

6. Double-click Desktop Wallpaper on the right
7. Set it to Enabled
8. In the Wallpaper Name field enter the full UNC path to your image:

   \\DFS01-B1\Shared\Background.png
   

9. Set Wallpaper Style to Fill
10. Click OK and close the GPO Editor

---

Step 5 — Link the GPO to Your OUs

Back in Group Policy Management, link the GPO to the OU(s) that contain your target machines' user accounts.

1. Right-click the OU containing W1 and W2's users → Link an Existing GPO → select Corporate Wallpaper → OK
2. If MGMT1's users are in a different OU, right-click that OU → Link an Existing GPO → select Corporate Wallpaper → OK

---

Step 6 — Scope It to Only W1, W2, and MGMT1

By default the GPO will apply to everyone in the linked OU. To restrict it to only those three machines' accounts:

1. Click the Corporate Wallpaper GPO in the left pane
2. Go to the Scope tab → Security Filtering
3. Click Authenticated Users → Remove
4. Click Add → type W1$ → Check Names → OK
5. Repeat for W2$ and MGMT1$

⚠️ Computer accounts require a dollar sign at the end — W1$ not W1. If you're filtering by user accounts instead, use the username without the $.

Then fix read permissions so the policy can still be processed:

1. Go to the Delegation tab → click Advanced
2. Click Add → add W1$, W2$, MGMT1$ one at a time
3. For each, tick Allow on Read → OK

---

Step 7 — Confirm the GPO Settings Saved Correctly

Before testing, quickly verify the wallpaper path is actually saved in the GPO:

1. Click the Corporate Wallpaper GPO
2. Go to the Settings tab
3. Expand User Configuration and confirm the wallpaper path is listed If nothing shows under Settings, the policy wasn't saved properly — go back into Edit and re-enter the wallpaper path.

---

Step 8 — Apply and Test

Force a Group Policy refresh on each machine:

Invoke-GPUpdate -Computer "W1" -Force
Invoke-GPUpdate -Computer "W2" -Force
Invoke-GPUpdate -Computer "MGMT1" -Force

Or run this directly on each machine:

gpupdate /force

Then log off and back on. Because this is a User Configuration policy, the wallpaper applies at login — not immediately after gpupdate.

---

Step 9 — Verify It Applied

On one of the target machines, open Command Prompt and run:

gpresult /r

Scroll to the USER SETTINGS section. You want to see Corporate Wallpaper listed under Applied Group Policy Objects.

What you see	What it means
Corporate Wallpaper listed under Applied GPOs	Working correctly
Corporate Wallpaper listed under Filtered Out / Denied	Permissions issue — check Step 6
N/A under Applied GPOs	GPO isn't reaching this user — check they're in the right OU

---

Troubleshooting

gpresult shows N/A under Applied GPOs

The user account isn't inside an OU that the GPO is linked to. Check where the account lives in Active Directory Users and Computers. If it's in the default Users container, move it into the correct OU.

Example of the problem — this line at the top of gpresult /r output means the account is in the default Users container, not an OU:

CN=admin, CN=Users, DC=YourDomain, DC=local

Fix: Move the account into the correct OU in Active Directory Users and Computers.

---

GPO applies but wallpaper doesn't change

The policy is reaching the machine but the image can't load. On the affected machine open Run (Win + R) and paste the UNC path directly:

\\DFS01-B1\Shared\Background.png

If it doesn't open, the machine can't reach the share. Fix the share permissions on DFS01-B1 as described in Step 3.

---

Wallpaper applies to more machines than expected

Check the Security Filtering in Step 6 — if Authenticated Users is still listed, the GPO will apply to everyone in the linked OU, not just your three machines.

---

Changes aren't showing after gpupdate

Remember this is a User Configuration policy — it applies at login, not immediately. Always log off and back on after running gpupdate /force.