Win7 and WinXP Group Policy-

I have a unique situation and nobody in our team have seen it before. Please feel free to ask if you need clarification.
I have a windows2003 AD and WinXP as clients-
I want to create a separate OU for Win7 clients and be able to push GP for Win7 instead of the default domain policy meant for XP.  The current GP is for XP and that will not support Win7 clients.
Questions- How do I create a separate GP for Win7 machines and apply but still keep XP group policy?
My security officer must generate a report (SCAP) and it must have Win7 GP applied in order to determine the baseline.
timnjohnsonInformation Security EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michael PfisterCommented:
Either create a new OU and block the inheritance of your GPOs (note this will block all GPOs not enforced, even Default Domain Policy) and create an dlink your new Win 7 GPOs
Create a WMI filter and link it to your GPOs for XP and the new WIndows 7 GPOs

Windows XP:
select * from Win32_OperatingSystem where (Version like "5.1%" or Version like "5.2%") and ProductType="1" 

Open in new window

 Windows 7:
select * from Win32_OperatingSystem where (Version like "6.1%") and ProductType="1" 

Open in new window


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
timnjohnsonInformation Security EngineerAuthor Commented:
I think creating  a WMI filter and link it to GPOs for XP and the new WIndows 7 GPOs- I want to be very careful on what I do because this is production environment and I don't want to fix one and break the other.  And I don't think blocking the inheritance is an option here since we want to keep the XP machines untouched.
Tom CieslikIT EngineerCommented:
It's simple.

Create New Group in your Active Directory Users and Computers, and name it, let say W7Computers or XPComputers.
Move all computers with XP OS to XPComputers group

GO To GPO, create new policy and link it to your domain
In Security Filtering, Add only XPCOmputers group
In Delegation Tab add XPComputers and Domain Users group with READ access

From Now this policy should work only for XPComputers users
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Peter HutchisonSenior Network Systems SpecialistCommented:
The problem with using groups is that they are not dynamic. So if someone setups a new or a replacement machine with Windows XP or 7 and doesn't put it in the group then the wrong policies are applied. I would always use WMI filters, they will apply correctly no matter what computers are add or removed.
Tom CieslikIT EngineerCommented:
Yes, that's true

You can setup 2 different policies for ALL users and computers and only for Windows 7 and 10 Operating system you can apply WMI filter

Create new filter


select * from Win32_OperatingSystem where (Version like "6.%" OR Version like "6.1.%" OR Version like "10.%") and ProductType = "1"

Open in new window

Since Windows XP is version 5.1 Filter will not be applied
DonNetwork AdministratorCommented:
"The current GP is for XP and that will not support Win7 clients"

All you need then is to use 1 of your windows 7 clients and install RSAT on it.

Remote Server Administration Tools for Windows® 7 with SP1 enables IT administrators to manage roles and features that are installed on computers that are running Windows Server® 2008 R2, Windows Server® 2008, or Windows Server® 2003, from a remote computer that is running Windows 7 or Windows 7 with SP1.
David Johnson, CD, MVPOwnerCommented:
Use WMI Filtering (see my article)
Windows 7
select * from Win32_OperatingSystem WHERE Version like "6.1%" AND ProductType="1"

Open in new window

Windows XP
select * from Win32_OperatingSystem WHERE (Version like "5.1%" or Version like "5.2%") AND ProductType="1"

Open in new window

timnjohnsonInformation Security EngineerAuthor Commented:
I'm having some issues with WMI and was wondering whether- Domain functional level matter when creating separate group policies.
I've a Win2003 AD and the functional level is actually 2003 but the forest level is Win2000.
Does that make any difference, if you have legacy XP and Win7 machines in the same domain?
Tom CieslikIT EngineerCommented:
The filter for Windows 2000 functionality level applies to: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Computers running Windows 2000 cannot process WMI filters, and apply any GPO to which they have read and apply permissions. To prevent a computer running Windows 2000 from applying a GPO, you must use security group filtering.

REMEMBER about security filtering in DelegationTAB
If you'll forgot to set rights to groups, then filter will NOT WORK

So Functionality level is not critical in your case, only OS verssion
Michael PfisterCommented:
What kind of problems do you have with WMI?
You can check the query manually by running  wbemtest on the client or remote
Sam Simon NasserIT Support ProfessionalCommented:
First - you can use a WMI filter. You would apply this filter to that UAC GPO. It would basically say, apply only if computers are Windows 7. Here is a guide on creating WMI filters:

Second - you can use PowerShell or something similar to manage security groups for you. Basically, you would have a security group named Windows 7 Computers - a scheduled task would run on a regular basis and would add all windows 7 computers to that group. You would modify the security filtering section of your UAC GPO to only apply to that new group (it probably applies to authenticated users right now). Here is a guide on that:
Michael PfisterCommented:
no further comment
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.