In this video from ITFreeTraining I will look
at number of different ways that Group Policy can be filtered to particular users and computers.
Using these features will allow you to target Group Policy to better meet the needs of your
organization. If you consider a typical company structure,
the company may decide to divide their users and computers into separate OU’s based on
the location of the office. Additional OU’s could also be added, for example, users could
be moved in OU’s called sales and marketing. Computers could be divided into separate OU’s.
For example, additional OU’s could be created based on the operating system that is being
used. This kind of structure works well with Group
Policy. All you need to do is tailor the Group Policy depending on which OU it is applied
to. For example, if you wanted a Group Policy to only effect Windows 7 computers you would
apply the Group policy to the Windows 7 OU. The problem with this approach is that it
requires an administrator to sort the objects in Active Directory into to the correct OU.
This requires the administrator to not only have access to do this but the administrator
also requires the knowledge of which objects go where. All though this may not sound difficult,
on a large network you may have 100’s or 1000’s of users and computers that need
to be sorted. Now imagine that later on a number of the computers were upgraded to a
newer operating system, after the upgrade these computer accounts would need to be moved
to the correct OU. The system of sorting objects into OU’s is good but in some cases it is
not ideal. In some cases you may want Group Policy to be able to detect which operating
system is used or apply Group Policy based on membership of a group.
In this video I will look at number of different ways Group Policy can be targeted to specific
users and computers without having to move users and computer objects around in Active
Directory. Without further to do, I will change to my Windows Server 2008 R2 Domain Controller
to look at how to configure these options. To demonstrate how to filter Group Policy,
I will first open Group Policy Management from Administrative Tools under the start
menu. In this case, the filtering that I will apply will be on the New York Policy found
under the New York OU. The first level of filtering you should consider
doing is disabling the user or computer configuration if it is not being used. To do this, select
the tab details. Here you can see the GPO status is current set to enabled. This means
both the computer and user configuration in this Group Policy will be applied. Remember
that each Group Policy object contains a user side and computer side.
If I want to, I could disabled the whole Group Policy by selecting all settings disabled,
but in a lot of cases you will want to select the option computer configuration settings
disabled or user configuration settings disabled. When Group Policy settings are applied, both
sides of Group Policy are downloaded and applied regards of whether any settings are configured
or not. If you want to speed up the processing of Group Policy and you know that only user
or computer settings will be used, disable the configuration side that is not been used.
This will reduce the time taken to apply Group Policy on your clients.
In this case, I will choose to disable user configuration for this Group Policy. Once
disabled, if I select the settings tab, this will show the settings that have been configured
for this Group Policy. Notice that User Configuration is listed as disabled.
In some cases you may want to configure Group Policy to target particular users or computers.
This can be done by sorting users and computers in OU using Active Directory Users and Computers,
but in some cases you may want to use groups or it is difficult or impractical to sort
Active Directory objects into OU. To do this, I will select the Scope tab. The
scope tab defines which users and computers this Group Policy is applied to.
Notice that the OU’s that this Group Policy is applied to is listed. In this case, only
the New York OU is using this Group Policy. Notice that under security filtering is authenticated
users. This determines which users and computers this Group Policy will be applied to. Authenticated
users means any users and computers that were authenticated by Domain Controller successfully.
It does not matter which groups the users or computer is a member of.
In this case, I will removed the authenticated users group and add the group GSales Staff.
This is a global group that contains only sales users and their computers. This means
that this Group Policy will now only be applied to users and computers that are members of
this group. This is a good way of narrowing down which users and computers this Group
Policy will have an effect on. In some cases, you may not be able to use
Groups to narrow down or target the particular users or computers that you want the Group
Policy to work on. For example, perhaps you want to target particular computers that are
running a particular operating system. To do this, you can link a WMI filter to the
Group Policy. As you can see, there are no WMI filters to select from so I will need
to create one first. To do this, select WMI Filters, right click and select the option
new. For this WMI filter, I will create a filter
that will check for Windows XP with service pack 3. Once I press add, I can enter in the
WMI filter that will be use. In this case, I have the WMI filter in a text document which
I will copy and paste. It is beyond the scope of this video to go
too much in the syntax used by WMI. The syntax use is standard SQL. You can see that the
query is selecting all records with information about the operating system. This are many
records returned so the next statement “where” states only those records where the caption
is “Microsoft Windows XP Professional”. This will limit the records to Windows XP
clients only. Additional conditions can also be added. For example, anther check can be
added that checks to see if the client has Service Pack 3 installed.
There is a huge amount of data that can be retrieved using WMI. If you are looking for
a particular setting you can download WMI explorer software which will allow you to
look through WMI data so you can find the data that you are after.
If I exit out of here and select New York Policy, I can now select the WMI filtering
option and select the WMI filter that I just created. You are only able to select one WMI
filter per Group Policy, but you can make the WMI filter as complex as you want. One
word of warning with WMI filters, for every users and computer that this Group Policy
is applied to, the WMI filter will need to executed. If you use a lot of WMI filters
or filters that are complex and take time to run, this increase the time it takes for
Group Policy to be applied. In some cases you may want certain users or
computers not to have this Group Policy applied to them. For example, perhaps you have a Group
Policy that is applied to all users but you do not want it applied to a test group.
In order to achieve this select the delegation tab. Delegation is a funny name for this tab
as essentially this tab is permissions of the Group Policy object. To view and change
the permissions, I will select the advanced button.
Here you can see that the group GSales Staff has been added to the security of the Group
Policy object. You can also see that this group has been given the read and apply group
policy permissions. In order for Group Policy to be applied, both of these permissions need
to be applied. If only one of this permissions is ticked, the Group Policy will not be able
to be applied. In this case, I will add the group ITTestGroup.
This group contains all the users and computers that are taking part in application testing.
For this reason, it has been decided that this Group Policy will not be applied to these
users and computers as it may affect the testing of that application.
To achieve this, I will configure read and apply Group Policy to deny. Ticking either
of these will prevent the Group Policy from being applied. Once I press ok I will get
a message indicating that deny permissions override all other permissions. The Deny permission
should be used rarely because if a user is in two groups and one group has deny permissions
configured, they will effectively denied access. In this case, this is what I want but in many
cases you can achieve the same result without using deny permissions. Microsoft recommended
only using deny permissions when you have to.
In this video, I will have look at the ways Group Policy can be filtered and thus targeted
towards your users. Although you can achieve some powerful results using these techniques,
using these techniques can increase the complexity of your environment so carefully planning
is essential. Thanks for watching this video from IT Free
Training. For more free videos for this courses and others please see are YouTube channel
or web page. See you next time.
