Win7 and WinXP Group Policy-

I have a unique situation and nobody in our team have seen it before. Please feel free to ask if you need clarification.
I have a windows2003 AD and WinXP as clients-
I want to create a separate OU for Win7 clients and be able to push GP for Win7 instead of the default domain policy meant for XP.  The current GP is for XP and that will not support Win7 clients.
Questions- How do I create a separate GP for Win7 machines and apply but still keep XP group policy?
My security officer must generate a report (SCAP) and it must have Win7 GP applied in order to determine the baseline.
timnjohnsonInformation Security EngineerAsked:
Who is Participating?
 
Michael PfisterConnect With a Mentor Commented:
Either create a new OU and block the inheritance of your GPOs (note this will block all GPOs not enforced, even Default Domain Policy) and create an dlink your new Win 7 GPOs
-or-
Create a WMI filter and link it to your GPOs for XP and the new WIndows 7 GPOs

Windows XP:
select * from Win32_OperatingSystem where (Version like "5.1%" or Version like "5.2%") and ProductType="1" 

Open in new window


 Windows 7:
select * from Win32_OperatingSystem where (Version like "6.1%") and ProductType="1" 

Open in new window

0
 
timnjohnsonInformation Security EngineerAuthor Commented:
I think creating  a WMI filter and link it to GPOs for XP and the new WIndows 7 GPOs- I want to be very careful on what I do because this is production environment and I don't want to fix one and break the other.  And I don't think blocking the inheritance is an option here since we want to keep the XP machines untouched.
0
 
Tom CieslikConnect With a Mentor IT EngineerCommented:
It's simple.

Create New Group in your Active Directory Users and Computers, and name it, let say W7Computers or XPComputers.
Move all computers with XP OS to XPComputers group

GO To GPO, create new policy and link it to your domain
In Security Filtering, Add only XPCOmputers group
In Delegation Tab add XPComputers and Domain Users group with READ access

From Now this policy should work only for XPComputers users
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
Peter HutchisonConnect With a Mentor Senior Network Systems SpecialistCommented:
The problem with using groups is that they are not dynamic. So if someone setups a new or a replacement machine with Windows XP or 7 and doesn't put it in the group then the wrong policies are applied. I would always use WMI filters, they will apply correctly no matter what computers are add or removed.
0
 
Tom CieslikConnect With a Mentor IT EngineerCommented:
Yes, that's true

You can setup 2 different policies for ALL users and computers and only for Windows 7 and 10 Operating system you can apply WMI filter

Create new filter

Namespace
root/CIMv2

Query
select * from Win32_OperatingSystem where (Version like "6.%" OR Version like "6.1.%" OR Version like "10.%") and ProductType = "1"

Open in new window


Since Windows XP is version 5.1 Filter will not be applied
0
 
DonNetwork AdministratorCommented:
"The current GP is for XP and that will not support Win7 clients"

All you need then is to use 1 of your windows 7 clients and install RSAT on it.

https://www.microsoft.com/en-us/download/details.aspx?id=7887

Remote Server Administration Tools for Windows® 7 with SP1 enables IT administrators to manage roles and features that are installed on computers that are running Windows Server® 2008 R2, Windows Server® 2008, or Windows Server® 2003, from a remote computer that is running Windows 7 or Windows 7 with SP1.
0
 
David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
Use WMI Filtering (see my article)
Windows 7
select * from Win32_OperatingSystem WHERE Version like "6.1%" AND ProductType="1"

Open in new window

Windows XP
select * from Win32_OperatingSystem WHERE (Version like "5.1%" or Version like "5.2%") AND ProductType="1"

Open in new window

0
 
timnjohnsonInformation Security EngineerAuthor Commented:
I'm having some issues with WMI and was wondering whether- Domain functional level matter when creating separate group policies.
I've a Win2003 AD and the functional level is actually 2003 but the forest level is Win2000.
Does that make any difference, if you have legacy XP and Win7 machines in the same domain?
0
 
Tom CieslikConnect With a Mentor IT EngineerCommented:
The filter for Windows 2000 functionality level applies to: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Computers running Windows 2000 cannot process WMI filters, and apply any GPO to which they have read and apply permissions. To prevent a computer running Windows 2000 from applying a GPO, you must use security group filtering.

REMEMBER about security filtering in DelegationTAB
If you'll forgot to set rights to groups, then filter will NOT WORK

So Functionality level is not critical in your case, only OS verssion
0
 
Michael PfisterCommented:
What kind of problems do you have with WMI?
You can check the query manually by running  wbemtest on the client or remote
0
 
Sam Simon NasserConnect With a Mentor IT Support ProfessionalCommented:
First - you can use a WMI filter. You would apply this filter to that UAC GPO. It would basically say, apply only if computers are Windows 7. Here is a guide on creating WMI filters: https://deployhappiness.com/telepathic-group-policy-objects-and-wmi-awesomeness/

Second - you can use PowerShell or something similar to manage security groups for you. Basically, you would have a security group named Windows 7 Computers - a scheduled task would run on a regular basis and would add all windows 7 computers to that group. You would modify the security filtering section of your UAC GPO to only apply to that new group (it probably applies to authenticated users right now). Here is a guide on that: https://deployhappiness.com/shadow-groups-security-active-directory/

https://social.technet.microsoft.com/Forums/en-US/7c23a1fc-478f-4bc8-b32b-445853148410/different-group-policies-for-different-os?forum=winserverGP
0
 
Michael PfisterCommented:
no further comment
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.