Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Group Policies

Posted on 2011-10-04
Medium Priority
Last Modified: 2012-05-12

I am after a bit of help with Group Policies.

My AD is setup as follows:

Departments (users)
dep 1
dep 2
dep 3
dep 4
dep 5

Workstions (machines)
office 1
office 2
office 2.1
office 2.2

So I apply some policies at each level of the AD structure.

We are just looking to start deploying windows 7 machines and I have setup a new group policy for these. but is there a filter that can be used so they are only applied to win 7 machines or would i have to put the win 7 machines in a different AD OU?


Question by:essexboy80
LVL 22

Accepted Solution

chakko earned 2000 total points
ID: 36909110
You should be able to use a filter (WMI).

here is a page for information.

it has this as a method to filter Windows 7 / Vista machines.

The following complete query returns true for all computers running Windows Vista, and returns false for any server operating system or any other client operating system.

select * from Win32_OperatingSystem where Version like "6.0%" and ProductType="1"

LVL 12
ID: 36909198
Create an AD group, into which you put your Windows 7 clients as they are created. Apply the GPOs to that group only.
LVL 35

Expert Comment

by:Joseph Daly
ID: 36909397
Chakko has the right idea using the WMI filtering. This will make sure that only machines that match the selected criteria apply the group policy. This will work well for you for standard group policies. The only other thing I can add is a good utility i use to test my wmi filters called WMIFtest


One more piece of information to add here since you mentioned windows 7. Windows 7 clients have the group policy preferences extensions installed by default. This will let you apply group policy preferences to these machines as well as group policies. The benefit of group policy preferences is that they allow you to do item level targeting based on criteria. This is sort of like the WMI filtering on steroids.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.


Author Comment

ID: 36929981
Thanks All, After a little help further.

So if my users are in OU's under a Departments OU and the workstations are in OUs under the Workstation OU's, do I have to have seperate Group Policies for Computer Setting and User Settings.

ie if I appllied my GPO to the workstations ou and it had user settings also would that work?
LVL 35

Expert Comment

by:Joseph Daly
ID: 36930529
In the situation you mentioned above then yes I would reccomend a seperate group policy for the user and computer settings. The reason for this is even though you can put user and computer settings in the same GPO they will only apply to the objects in the OU where it is linked.

So in your example if you linked the GPO to the workstations OU and that only contained computer accounts then none of the user settings would be applied because the user accounts reside in a different OU.

Author Comment

ID: 36954751
great thanks, and should i use enforced or not?

Author Comment

ID: 36954798
sorry further to that, i have created seperate policies for users and computers, but does it look at the operating system filters on the user policies as well?
LVL 35

Expert Comment

by:Joseph Daly
ID: 36956703
Yes if you apply a WMI filter it applies for the entire policy. So if you have an OS filter on a user policy it will still apply.

Author Comment

ID: 36956805
nice one thanks
LVL 11

Expert Comment

ID: 37554238
Please be aware of the fact that WMI filter takes longer to process because everytime the user or machine comes up it calculates the filter applied.

I would say you state what you want to achieve & probably an efficient way can be found to get the desired result.

Have a look at below:

If you really have such a granular design then I am sure it can be achieved much efficiently.
Everytime your user or machine comes up WMI Filters are evaluated, so be very careful & in my opinion only use them as last resort.

Looking at what you have described, I would take the simplest approach:
See Computers are object too, so what you can do is make a group of all the W7 computers & then simply use Delegation, that way you are getting what you want & avoiding the calculation of WMI every time, giving your users a fast environment.


Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question