HomeОбразованиеRelated VideosMore From: itfreetraining

MCITP 70-640: Group Policy Filtering

196 ratings | 50854 views
Check out http://YouTube.com/ITFreeTraining or http://itfreetraining.com for more of our always free training videos. There are a number of different options in Group Policy that allows you to target Group Policy to particular users and computers. This video looks at WMI filters and security that can be applied to target Group Policy settings that you configure. The video also looks at how you can disable parts of Group Policy to speed up the processing on your clients. Sorting by OU's One way of applying Group Policy is to sort the users and computers into different OU's. A typical way of doing this is to separate the users and computers into physical locations, departments and operating systems. The problem with this approach is that an administrator needs to sort these objects initially and when change occur. For example, if users change job titles and operating systems are upgraded. By using filters in Group Policy you can automate this process. Demonstration All the Group Policy filtering options are available from Group Policy Management Console. Once you select a Group Policy Object you can configure additional filtering options for it. User/Computer Configuring Enabling/Disabling If you select the details tab, the option GPO status allows you to enable or disable the GPO as well as only have the user or computer configuration enabled. If you are only using one part of the configuration for the GPO, it is worth while disabling the other configuration. Disabling configuration like this will speed up the processing of the GPO on the client. Security Filtering On the scope tab you can configure particular groups to be allowed the ability to apply the Group Policy object. Adding groups here effectively changes the permissions of the Group Policy Object giving that group access to apply the Group Policy. The same effect can be achieved by editing the security of the Group Policy Object directly, however Security Filtering does provide an easier interface if all you want to do is see who has the ability to apply the Group Policy or add or remove access. WMI Filter Windows Management Instrumentation (WMI) allows software to retrieve information about the client. For example, information about the operating system, hardware and software installed can be retrieved using WMI. Using WMI filters, you can target a Group Policy Object to particular characteristics of a computer. You can only assign one WMI filter per Group Policy Object, however you can make it as complex as you wish. Using WMI filters in your domain especially complex WMI filters this can slow down the time Group Policy takes to apply. To create a WMI query, Select WMI Filters in the left panel of Group Policy Management under your domain and paste in your WMI query. An example of a WMI query is listed below. Select * FROM Win32_OperatingSystem WHERE Caption="Microsoft Windows XP Professional" AND CSDVersion="Service Pack 3" Once you have a WMI query configured, you can assign one WMI filter to the Group Policy Object on the scope tab. A free WMI explorer. http://www.ks-soft.net/hostmon.eng/wmi/index.htm Delegation The delegation tab effectively shows some of permissions of the Group Policy Object. In order for the Group Policy to be applied to a client it requires read and apply group policy permissions. To gain access the security properties press the advanced button. If you want to prevent the group policy for being applied, select the deny option for apply group policy. Deny permissions should only be applied when necessary. In most cases there is another solution which does not require deny permissions. References "MCTS 70-640 Configuring Windows Server 2008 Active Directory Second Edition" pg 285 -- 291
Html code for embedding videos on your blog
Text Comments (24)
Saladin Glanton (1 year ago)
Thank you so much for the refresher/explanation. Rarely do I use the filter function.
itfreetraining (1 year ago)
You're welcome! We're glad you found it useful.
Maher Mohareb (1 year ago)
This is a great one .. but I am not sure about when you add a group to the security filtering ... this group must be inside the OU of the group policy not to be in anywhere else in the AD !!!!! I am just little bit confused .. also the same question goes to the delegation part
3eenab (1 year ago)
Thanks a lot.
itfreetraining (1 year ago)
You're very welcome!
dipesh kumar (1 year ago)
Hi Sir, Great tutorial , although how to apply group policy only to certain computers & irrespective of which users logs into it. 1. create a new computer group having all computers. 2. Link the gpo to the OU. 3. remove the authenticated user tab. 4. add the new computer group & confirm the read and apply permission to ensure. pls confirm if it is correct ?
Billy Rowe (2 years ago)
4:44 Throughout many years of playing with GP and AD, countless classes to get my degree, and jobs - I still sometimes have a hard time understanding this page... on how to scope things... Luckily, the way you have explained things up to the point where I'm at in the video makes sense and I can understand the way you teach perfectly. I'm hoping I understand this more so that I'm more confident going into a JR Systems Administrator job. I've been playing with AD and GP since I was like 5 or 6 years old... blocking access from my Sisters. Haha. I'm very good with AD and GP... but a lot of other people are more knowledgeable than myself. Like I said, don't get me wrong - I'm familiar and comfortable with setting it up, but I can't do the whacky customization like is explained in this video. Hopefully I'll learn once I continue the video.
Ulf Müller (2 years ago)
Great training video! Thank you for sharing! Let me add that Microsoft Security Update KB3159398 (released in June 2016) breaks the way Security Filtering worked. With KB3159398 installed on the client computers you have add the Domain Computers group with read permission in "Delegation" to use Security Filtering - otherwise the GPO will not be assigned.
itfreetraining (2 years ago)
Thanks for the information! We really appreciate it.
Umer Azeem (2 years ago)
Great :) Helped me alot
itfreetraining (2 years ago)
+Umer Azeem (UA) Awesome, we're glad our videos helped you so much!
Fabio Furlanetti (2 years ago)
Congratulations :)
itfreetraining (2 years ago)
+Fabio Furlanetti Thanks!
Thank you for the well explained training have learnt a lot from your classes
itfreetraining (2 years ago)
+Gadgetproblem Noproblem You're very welcome. We are glad to hear that our videos have taught you well.
Macke Frisk (3 years ago)
so good!
wari francis (3 years ago)
REAL PURE GOLD !!!
itfreetraining (3 years ago)
+wari francis Thank you!
archangel dark (3 years ago)
You Sir, are PURE GOLD, melted in our brain! Thank you!
itfreetraining (3 years ago)
Thank you, we're glad you found the video helpful!
M Ram Prabakaran Naidu (4 years ago)
Thanks for the video.. Its excellent and awesome.. I learned a lot in filtering But I have some query, 1. Your are describing about User configuration disable and Computer configuration disable "What is difference between User configuration disabled and Computer configuration disable"?? 2. How to write a query for WMI filers ?? Thanks in advance for ur reply..,
itfreetraining (3 years ago)
Have a look at the following Microsoft web site. This gives some examples of WMI filters. http://technet.microsoft.com/en-au/library/cc779036(v=ws.10).aspx
Tony DeJesus (4 years ago)
TLDR; User config follows the user to different computers. Computer Config stays with that computer, regardless of which user. When you apply a GPO those changes can be applied to the computer side, or the user side. The user side of the GPO will follow the user where ever they login. Lets say D.Smith uses Comp1 as his primary workstation, where he has specific shortcuts to web based applications on his desktop. If we were to apply the shortcuts to the computer configuration, Comp1 would have shortcuts to those applications regardless of which user was logged in (this is provided that d.smith and Comp1 are within the same OU) . If N.Thomas (A memeber of HR) were to login to Comp1, he would see the same shortcuts because those shortcuts are created on the computer, not the user. This also applies in reverse, where settings configured in the user configuration of a GPO follow that user wherever they go.
juanvictord (4 years ago)
Execelente Video desde República Dominicana.

Would you like to comment?

Join YouTube for a free account, or sign in if you are already a member.