Solved

How to apply GPO to workstations ONLY

Posted on 2011-03-02
6
4,014 Views
Last Modified: 2012-05-11
I have created several GPOs that I want to ONLY apply to workstations, not to domain controllers or member servers.   This GPO is currently linked to the domain so it applies to all systems.  I have read numerous articles about using WMI Filters to include but none describe how to exclude a particular class of machine.

My workstations are a mix of Windows XP, Vista, and 7 and are in the default "Computers" container.  My servers are Windows Server 2003, 2008, and 2008 R2.  Servers are in a custom "Servers" OU and DCs are in the default "Domain Controllers" container.

I appreciate any guidance you can provide, thanks!
0
Comment
Question by:AltaSens
6 Comments
 
LVL 21

Accepted Solution

by:
snusgubben earned 400 total points
ID: 35021589
The "easiest" solution would to create a "Workstation" OU, move all workstation here, and link the GPO to this OU.
0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 400 total points
ID: 35021680
If you want to the GPO only added to workstations, you can create a WMI filter like:

Select * from Win32_ComputerSystem where DomainRole = 1

and add the WMI filter to the GPO. WMI filters make GPO prcessing a little slower, so you have to decide if move them to a Workstation OU is sufficient.


0
 
LVL 3

Assisted Solution

by:thomasd04
thomasd04 earned 100 total points
ID: 35021729
Hi AltaSens. The GPO(s) over the whole domain tree should contain general settings for all objects; and separate GPOs linked to specific OUs should be created for more specific settings. But if you want to restrict them from affecting the server OUs, you can simply block inheritance on the GPO linked to the server OUs. WMI filtering would not be needed in this case. If for some reason you REALLY want to use WMI filtering for this purpose, you would be filtering using the Win32_OperatingSystem Class (http://msdn.microsoft.com/en-us/library/aa394239(v=vs.85).aspx).

Good luck!

0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 47

Expert Comment

by:dstewartjr
ID: 35021897
"My workstations are a mix of Windows XP, Vista, and 7 and are in the default "Computers" container"


The "Computers" container is not a OU, so no group policies you create will apply to them until you add the computers to an OU.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 35021959
... so no group policies you create will apply to them until you add the computers to an OU

You can't link a GPO to the Computers (or Users) container, but computer objects in this contatiner will inherit GPOs linked at the domain level.
0
 

Author Closing Comment

by:AltaSens
ID: 35022876
Ultimately, it seemed easier to simply create an OU for all domain workstations and move the computer objects there.

However, I do appreciate the other two suggestions regarding WMI.

Thank you to everyone!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now