Applying GPOs based on Operating System Version (item-level targetting)

Hi,

we have a Win2003 AD with one server acting as the PDC and a small bunch of 
GPOs. All clients are running WinXP SP3. The whole network / AD is well 
working.

Our management now wants Windows 7, but only on their computers, we're 
getting a WinXP/Win7 mixed environment (thanks Boss!). Thus we have to split 
some GPOs (eg. Folder Redirection, etc.). We could clone each security 
group, one for XP users/computers and the other for Win7 and apply GPOs only 
to the correct group but that might not be the best solution.
We would like to use the item-level targetting like in drive mappings but 
afaik its not available for every GPO setting, is it?

Whats the best solution for our situation except upgrading all servers and 
clients to Srv2008 / Win7? :-) Is item-level targetting available per GPO 
and if, where?
Your advice is much appreciated. Thanks. 

0
Ben
6/7/2010 12:19:31 PM
windows.server.active_director 902 articles. 0 followers. Follow

3 Replies
789 Views

Similar Articles

[PageSpeed] 22

Howdie!

On 07.06.2010 14:19, Ben Humpert wrote:
> Our management now wants Windows 7, but only on their computers, we're
> getting a WinXP/Win7 mixed environment (thanks Boss!). Thus we have to

Ha! It's difficult to upgrade all clients all-at-once to a new OS. So 
you kind of get into that situation sooner or later :)

> We would like to use the item-level targetting like in drive mappings
> but afaik its not available for every GPO setting, is it?

It's only for GP Preference items. Normal Group Policy settings aren't 
affected by the filter you set there.
>
> Whats the best solution for our situation except upgrading all servers
> and clients to Srv2008 / Win7? :-) Is item-level targetting available
> per GPO and if, where?

I'd go thorugh a mixed-approach. Where possible, use item-level 
targeting on GP Preferences and for the "legacy" GPOs, define WMI 
filters that filter for the OS. If we're talking about a good amount of 
GPOs, you'll want to look at security filtering instead of WMI filters 
-- WMI filters are evaluated for every GPO they are linked to (not 
cumulatively) and that affects performance.

Cheers,
Florian
0
Florian
6/7/2010 12:41:42 PM
"Florian Frommherz [MVP]" <florian@frickelsoft.LEAVETHISOUT.net> schrieb im 
Newsbeitrag news:#xFEL7jBLHA.420@TK2MSFTNGP02.phx.gbl...
> Howdie!
>
> On 07.06.2010 14:19, Ben Humpert wrote:
>> Our management now wants Windows 7, but only on their computers, we're
>> getting a WinXP/Win7 mixed environment (thanks Boss!). Thus we have to
>>
>> Whats the best solution for our situation except upgrading all servers
>> and clients to Srv2008 / Win7? :-) Is item-level targetting available
>> per GPO and if, where?
>
> I'd go thorugh a mixed-approach. Where possible, use item-level targeting 
> on GP Preferences and for the "legacy" GPOs, define WMI filters that 
> filter for the OS. If we're talking about a good amount of GPOs, you'll 
> want to look at security filtering instead of WMI filters -- WMI filters 
> are evaluated for every GPO they are linked to (not cumulatively) and that 
> affects performance.

Thanks for your reply. With the help of your Microsoft MVP profile page 
(https://mvp.support.microsoft.com/profile=1260AEA9-6724-4815-ABDB-B1A0BA9FE697) 
i found two of your blog entries which explained the WMI filtering including 
a query for "Vista and above"!

We tried it here but i guess WMI is dead because the RSAT GPMC on Win7 
crashed after we tried to save the WMI filter, on Srv2003 it works. Then we 
had the problem that the great windows firewall blocked WMI requests sent 
from the PDC (a big lol here ;).

We now solved the "problem" by removing our security groups (which we used 
previously for security filtering) and adding each computer/user directly to 
the security filtering.
WMI filtering is for sure a better solution (for the small amount of GPOs we 
have) but since we would have much more work getting it to work, we choosed 
the easier way. 

0
Ben
6/7/2010 3:47:42 PM
Howdie!

Am 07.06.2010 17:47, schrieb Ben Humpert:
> We tried it here but i guess WMI is dead because the RSAT GPMC on Win7
> crashed after we tried to save the WMI filter, on Srv2003 it works. Then
> we had the problem that the great windows firewall blocked WMI requests
> sent from the PDC (a big lol here ;).

That crash is weird. I've created WMI filters and linked them several 
times with Win7 boxes and never had any issues. Hum.

As for the Windows Firewall - that's even more weird. There PDC doesn't 
actually send any WMI queries to the client. The client checks the GPO 
and notices that there's a WMI filter on it -- it evaluates the filter 
_locally_ and, in case it evaluates to TRUE, it applies the policy. 
Otherwise it doesn't.

I'm not sure as to how the Firewall comes into play here -- so when did 
you actually notice there's a firewall interferance?

> We now solved the "problem" by removing our security groups (which we
> used previously for security filtering) and adding each computer/user
> directly to the security filtering.

That shouldn't be necessary. The ACL doesn't care whether there are 
groups or objects in there. They just apply.

> WMI filtering is for sure a better solution (for the small amount of
> GPOs we have) but since we would have much more work getting it to work,
> we choosed the easier way.

I see. Thanks for the feedback. It shouldn't have been a hassle really. 
Let me know if you care to debug this further or discuss it.

Cheers,
Florian
0
Florian
6/7/2010 6:38:31 PM
Reply:

Similar Artilces: