Applying GPOs based on Operating System Version (item-level targetting)

Hi,

we have a Win2003 AD with one server acting as the PDC and a small bunch of
GPOs. All clients are running WinXP SP3. The whole network / AD is well
working.

Our management now wants Windows 7, but only on their computers, we're
getting a WinXP/Win7 mixed environment (thanks Boss!). Thus we have to split
some GPOs (eg. Folder Redirection, etc.). We could clone each security
group, one for XP users/computers and the other for Win7 and apply GPOs only
to the correct group but that might not be the best solution.
We would like to use the item-level targetting like in drive mappings but
afaik its not available for every GPO setting, is it?

Whats the best solution for our situation except upgrading all servers and
clients to Srv2008 / Win7? :-) Is item-level targetting available per GPO
and if, where?
Your advice is much appreciated. Thanks.

Howdie!

On 07.06.2010 14:19, Ben Humpert wrote:
> Our management now wants Windows 7, but only on their computers, we're
> getting a WinXP/Win7 mixed environment (thanks Boss!). Thus we have to

Ha! It's difficult to upgrade all clients all-at-once to a new OS. So
you kind of get into that situation sooner or later

> We would like to use the item-level targetting like in drive mappings
> but afaik its not available for every GPO setting, is it?

It's only for GP Preference items. Normal Group Policy settings aren't
affected by the filter you set there.
>
> Whats the best solution for our situation except upgrading all servers
> and clients to Srv2008 / Win7? :-) Is item-level targetting available
> per GPO and if, where?

I'd go thorugh a mixed-approach. Where possible, use item-level
targeting on GP Preferences and for the "legacy" GPOs, define WMI
filters that filter for the OS. If we're talking about a good amount of
GPOs, you'll want to look at security filtering instead of WMI filters
-- WMI filters are evaluated for every GPO they are linked to (not
cumulatively) and that affects performance.

Cheers,
Florian

"Florian Frommherz [MVP]" <> schrieb im
Newsbeitrag news:#...
> Howdie!
>
> On 07.06.2010 14:19, Ben Humpert wrote:
>> Our management now wants Windows 7, but only on their computers, we're
>> getting a WinXP/Win7 mixed environment (thanks Boss!). Thus we have to
>>
>> Whats the best solution for our situation except upgrading all servers
>> and clients to Srv2008 / Win7? :-) Is item-level targetting available
>> per GPO and if, where?
>
> I'd go thorugh a mixed-approach. Where possible, use item-level targeting
> on GP Preferences and for the "legacy" GPOs, define WMI filters that
> filter for the OS. If we're talking about a good amount of GPOs, you'll
> want to look at security filtering instead of WMI filters -- WMI filters
> are evaluated for every GPO they are linked to (not cumulatively) and that
> affects performance.

Thanks for your reply. With the help of your Microsoft MVP profile page
(https://mvp.support.microsoft.com/pr...B-B1A0BA9FE697)
i found two of your blog entries which explained the WMI filtering including
a query for "Vista and above"!

We tried it here but i guess WMI is dead because the RSAT GPMC on Win7
crashed after we tried to save the WMI filter, on Srv2003 it works. Then we
had the problem that the great windows firewall blocked WMI requests sent
from the PDC (a big lol here .

We now solved the "problem" by removing our security groups (which we used
previously for security filtering) and adding each computer/user directly to
the security filtering.
WMI filtering is for sure a better solution (for the small amount of GPOs we
have) but since we would have much more work getting it to work, we choosed
the easier way.

Howdie!

Am 07.06.2010 17:47, schrieb Ben Humpert:
> We tried it here but i guess WMI is dead because the RSAT GPMC on Win7
> crashed after we tried to save the WMI filter, on Srv2003 it works. Then
> we had the problem that the great windows firewall blocked WMI requests
> sent from the PDC (a big lol here .

That crash is weird. I've created WMI filters and linked them several
times with Win7 boxes and never had any issues. Hum.

As for the Windows Firewall - that's even more weird. There PDC doesn't
actually send any WMI queries to the client. The client checks the GPO
and notices that there's a WMI filter on it -- it evaluates the filter
_locally_ and, in case it evaluates to TRUE, it applies the policy.
Otherwise it doesn't.

I'm not sure as to how the Firewall comes into play here -- so when did
you actually notice there's a firewall interferance?

> We now solved the "problem" by removing our security groups (which we
> used previously for security filtering) and adding each computer/user
> directly to the security filtering.

That shouldn't be necessary. The ACL doesn't care whether there are
groups or objects in there. They just apply.

> WMI filtering is for sure a better solution (for the small amount of
> GPOs we have) but since we would have much more work getting it to work,
> we choosed the easier way.

I see. Thanks for the feedback. It shouldn't have been a hassle really.
Let me know if you care to debug this further or discuss it.

Cheers,
Florian