Logo

Group Policy Filtering

There are a number of different options in Group Policy that allows you to target Group Policy to particular users and computers. This video looks at WMI filters and security that can be applied to target Group Policy settings that you configure. The video also looks at how you can disable parts of Group Policy to speed up the processing on your clients.

<a class="wp-block-button__link"Download PDF handout
Show lesson content
Sorting by OU’s
One way of applying Group Policy is to sort the users and computers into different OU’s. A typical way of doing this is to separate the users and computers into physical locations, departments and operating systems. The problem with this approach is that an administrator needs to sort these objects initially and when change occur. For example, if users change job titles and operating systems are upgraded. By using filters in Group Policy you can automate this process.

Demonstration
All the Group Policy filtering options are available from Group Policy Management Console. Once you select a Group Policy Object you can configure additional filtering options for it.

User/Computer Configuring Enabling/Disabling
If you select the details tab, the option GPO status allows you to enable or disable the GPO as well as only have the user or computer configuration enabled. If you are only using one part of the configuration for the GPO, it is worth while disabling the other configuration. Disabling configuration like this will speed up the processing of the GPO on the client.

Security Filtering
On the scope tab you can configure particular groups to be allowed the ability to apply the Group Policy object. Adding groups here effectively changes the permissions of the Group Policy Object giving that group access to apply the Group Policy. The same effect can be achieved by editing the security of the Group Policy Object directly, however Security Filtering does provide an easier interface if all you want to do is see who has the ability to apply the Group Policy or add or remove access.

WMI Filter
Windows Management Instrumentation (WMI) allows software to retrieve information about the client. For example, information about the operating system, hardware and software installed can be retrieved using WMI. Using WMI filters, you can target a Group Policy Object to particular characteristics of a computer. You can only assign one WMI filter per Group Policy Object, however you can make it as complex as you wish. Using WMI filters in your domain especially complex WMI filters this can slow down the time Group Policy takes to apply.

To create a WMI query, Select WMI Filters in the left panel of Group Policy Management under your domain and paste in your WMI query. An example of a WMI query is listed below.

Select * FROM Win32_OperatingSystem WHERE Caption=”Microsoft Windows XP Professional” AND CSDVersion=”Service Pack 3″

Once you have a WMI query configured, you can assign one WMI filter to the Group Policy Object on the scope tab.

A free WMI explorer. http://www.ks-soft.net/hostmon.eng/wmi/index.htm

Delegation
The delegation tab effectively shows some of permissions of the Group Policy Object. In order for the Group Policy to be applied to a client it requires read and apply group policy permissions. To gain access the security properties press the advanced button. If you want to prevent the group policy for being applied, select the deny option for apply group policy. Deny permissions should only be applied when necessary. In most cases there is another solution which does not require deny permissions.

References
“MCTS 70-640 Configuring Windows Server 2008 Active Directory Second Edition” pg 285 – 291

Credits

Lesson tags: 70-640-active-directory
Back to: 70-640 Introduction to Active Directory > Group Policy

Active Directory is a system which offers centralized control of your computers.

Modules

Active Directory Infrastructure

Lessons

Group Policy

Lessons