Solved

How to apply GPO to workstations ONLY

Posted on 2011-03-02
6
4,747 Views
Last Modified: 2012-05-11
I have created several GPOs that I want to ONLY apply to workstations, not to domain controllers or member servers.   This GPO is currently linked to the domain so it applies to all systems.  I have read numerous articles about using WMI Filters to include but none describe how to exclude a particular class of machine.

My workstations are a mix of Windows XP, Vista, and 7 and are in the default "Computers" container.  My servers are Windows Server 2003, 2008, and 2008 R2.  Servers are in a custom "Servers" OU and DCs are in the default "Domain Controllers" container.

I appreciate any guidance you can provide, thanks!
0
Comment
Question by:AltaSens
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 21

Accepted Solution

by:
snusgubben earned 400 total points
ID: 35021589
The "easiest" solution would to create a "Workstation" OU, move all workstation here, and link the GPO to this OU.
0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 400 total points
ID: 35021680
If you want to the GPO only added to workstations, you can create a WMI filter like:

Select * from Win32_ComputerSystem where DomainRole = 1

and add the WMI filter to the GPO. WMI filters make GPO prcessing a little slower, so you have to decide if move them to a Workstation OU is sufficient.


1
 
LVL 3

Assisted Solution

by:thomasd04
thomasd04 earned 100 total points
ID: 35021729
Hi AltaSens. The GPO(s) over the whole domain tree should contain general settings for all objects; and separate GPOs linked to specific OUs should be created for more specific settings. But if you want to restrict them from affecting the server OUs, you can simply block inheritance on the GPO linked to the server OUs. WMI filtering would not be needed in this case. If for some reason you REALLY want to use WMI filtering for this purpose, you would be filtering using the Win32_OperatingSystem Class (http://msdn.microsoft.com/en-us/library/aa394239(v=vs.85).aspx).

Good luck!

0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35021897
"My workstations are a mix of Windows XP, Vista, and 7 and are in the default "Computers" container"


The "Computers" container is not a OU, so no group policies you create will apply to them until you add the computers to an OU.
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 35021959
... so no group policies you create will apply to them until you add the computers to an OU

You can't link a GPO to the Computers (or Users) container, but computer objects in this contatiner will inherit GPOs linked at the domain level.
0
 

Author Closing Comment

by:AltaSens
ID: 35022876
Ultimately, it seemed easier to simply create an OU for all domain workstations and move the computer objects there.

However, I do appreciate the other two suggestions regarding WMI.

Thank you to everyone!
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question