Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos.
There are a number of different options in Group Policy that allows you to target Group Policy to particular users and computers. This video looks at WMI filters and security that can be applied to target Group Policy settings that you configure. The video also looks at how you can disable parts of Group Policy to speed up the processing on your clients.
Sorting by OU's
One way of applying Group Policy is to sort the users and computers into different OU's. A typical way of doing this is to separate the users and computers into physical locations, departments and operating systems. The problem with this approach is that an administrator needs to sort these objects initially and when change occur. For example, if users change job titles and operating systems are upgraded. By using filters in Group Policy you can automate this process.
All the Group Policy filtering options are available from Group Policy Management Console. Once you select a Group Policy Object you can configure additional filtering options for it.
User/Computer Configuring Enabling/Disabling
If you select the details tab, the option GPO status allows you to enable or disable the GPO as well as only have the user or computer configuration enabled. If you are only using one part of the configuration for the GPO, it is worth while disabling the other configuration. Disabling configuration like this will speed up the processing of the GPO on the client.
On the scope tab you can configure particular groups to be allowed the ability to apply the Group Policy object. Adding groups here effectively changes the permissions of the Group Policy Object giving that group access to apply the Group Policy. The same effect can be achieved by editing the security of the Group Policy Object directly, however Security Filtering does provide an easier interface if all you want to do is see who has the ability to apply the Group Policy or add or remove access.
Windows Management Instrumentation (WMI) allows software to retrieve information about the client. For example, information about the operating system, hardware and software installed can be retrieved using WMI. Using WMI filters, you can target a Group Policy Object to particular characteristics of a computer. You can only assign one WMI filter per Group Policy Object, however you can make it as complex as you wish. Using WMI filters in your domain especially complex WMI filters this can slow down the time Group Policy takes to apply.
To create a WMI query, Select WMI Filters in the left panel of Group Policy Management under your domain and paste in your WMI query. An example of a WMI query is listed below.
Select * FROM Win32_OperatingSystem WHERE Caption="Microsoft Windows XP Professional" AND CSDVersion="Service Pack 3"
Once you have a WMI query configured, you can assign one WMI filter to the Group Policy Object on the scope tab.
A free WMI explorer. http://www.ks-soft.net/hostmon.eng/wmi/index.htm
The delegation tab effectively shows some of permissions of the Group Policy Object. In order for the Group Policy to be applied to a client it requires read and apply group policy permissions. To gain access the security properties press the advanced button. If you want to prevent the group policy for being applied, select the deny option for apply group policy. Deny permissions should only be applied when necessary. In most cases there is another solution which does not require deny permissions.
"MCTS 70-640 Configuring Windows Server 2008 Active Directory Second Edition" pg 285 -- 291
This is a great one .. but I am not sure about when you add a group to the security filtering ... this group must be inside the OU of the group policy not to be in anywhere else in the AD !!!!!
I am just little bit confused .. also the same question goes to the delegation part
Hi Sir, Great tutorial ,
although how to apply group policy only to certain computers & irrespective of which users logs into it.
1. create a new computer group having all computers.
2. Link the gpo to the OU.
3. remove the authenticated user tab.
4. add the new computer group & confirm the read and apply permission to ensure.
pls confirm if it is correct ?
4:44 Throughout many years of playing with GP and AD, countless classes to get my degree, and jobs - I still sometimes have a hard time understanding this page... on how to scope things...
Luckily, the way you have explained things up to the point where I'm at in the video makes sense and I can understand the way you teach perfectly. I'm hoping I understand this more so that I'm more confident going into a JR Systems Administrator job.
I've been playing with AD and GP since I was like 5 or 6 years old... blocking access from my Sisters. Haha. I'm very good with AD and GP... but a lot of other people are more knowledgeable than myself. Like I said, don't get me wrong - I'm familiar and comfortable with setting it up, but I can't do the whacky customization like is explained in this video.
Hopefully I'll learn once I continue the video.
Great training video! Thank you for sharing!
Let me add that Microsoft Security Update KB3159398 (released in June 2016) breaks the way Security Filtering worked. With KB3159398 installed on the client computers you have add the Domain Computers group with read permission in "Delegation" to use Security Filtering - otherwise the GPO will not be assigned.
Thanks for the video.. Its excellent and awesome.. I learned a lot in filtering But I have some query,
1. Your are describing about User configuration disable and Computer configuration disable
"What is difference between User configuration disabled and Computer configuration disable"??
2. How to write a query for WMI filers ??
Thanks in advance for ur reply..,
TLDR; User config follows the user to different computers. Computer Config stays with that computer, regardless of which user.
When you apply a GPO those changes can be applied to the computer side, or the user side. The user side of the GPO will follow the user where ever they login. Lets say D.Smith uses Comp1 as his primary workstation, where he has specific shortcuts to web based applications on his desktop. If we were to apply the shortcuts to the computer configuration, Comp1 would have shortcuts to those applications regardless of which user was logged in (this is provided that d.smith and Comp1 are within the same OU) . If N.Thomas (A memeber of HR) were to login to Comp1, he would see the same shortcuts because those shortcuts are created on the computer, not the user. This also applies in reverse, where settings configured in the user configuration of a GPO follow that user wherever they go.
We will accept entries between now and June 15th. Posters will ship in July.
YESTERDAY WAS EVERYTHING OUT JUNE 30th.
Filmed primarily during the tour celebrating the 10th anniversary of our debut album, this feature length documentary, directed by our friend Matthew Mixon, follows the band as we reunite with our original vocalist Jesse for the first time since our split a decade prior. The film explores the fatal tragedy that brought the band together and follows our journey across North America as we face old ghosts and attempt to reconcile the past.
Signal Spam is a public-private partnership that allows users to report anything that they consider to be spam in their e-mail client or webmail in order to assign it to the public authority or the professional that will take the required action to combat the reported spam.
The Spam Signal reflex.
A spam report allows to collect all the technical information required for the identification of a spammer, wether the report relates to a marketing abuse or cyber-criminal spam. Signal Spam is responsible for the qualification of your report and distributing useful information to the fight against spam.
Download the plugin that corresponds to your messaging environment and install it.
Report spam from your e-mail and track developments in your personal space.
Thanks to your reports, Signal Spam collects information essential to the identification of spammers , and share them with the authorized actors able to take action adapted to each specific report.
Consult the code of ethics.
The reports provide the digital evidence investigators and public authorities need engage legal procedures, controls and sanctions against companies which send abusive marketing e-mails, and legal actions against cyber criminals.
Easy-To-Use Tools For Hard Trading Decisions.
Find what to trade, when to trade, and how to trade with signals and tools for over 350,000 stocks, ETFs, futures, forex and mutual funds.
Managing your own portfolio is easier than you think.
Create Your MarketClub Account Now.