Logo
programming4us
programming4us
programming4us
programming4us
Windows XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
 
Windows Server

Windows Server 2008 R2 : Elements of Group Policy (part 4) - GPO Filtering

3/8/2011 10:20:01 PM

GPO Filtering

Applying GPOs can be tricky and the design of the Active Directory forest, domains, sites, and OU hierarchy play a major part in this. One of the most important considerations when designing the Active Directory OU hierarchy within a domain is to understand how the domain administrators plan to manage the domain computers and users with group policies. 

In many cases, even with the most careful planning of the Active Directory infrastructure, GPOs will be applied to computers and/or users that do not necessarily need the settings contained within that GPO. To better target which computer and user objects a particular GPO applies to, Microsoft has built in a few different mechanisms to help filter out or include only the necessary objects to ensure that only the desired computers or users actually apply the policy. The mechanisms that control or filter how a policy will be applied are as follows:

  • GPO security filtering

  • GPO WMI filtering

  • GPO status for the Computer Configuration or User Configuration nodes

GPO Security Filtering

GPO security filtering is the “group” in Group Policy. Many administrators can get frustrated when having to explain the fact that Group Policy applies to computers and users but not to groups. In fact, the GPO security filtering is where administrators can define which users, computers, or members of security groups will actually apply the group policy.

By default, GPOs apply to the Authenticated Users security group, which includes all users and computers in the domain. The scope of GPO application is then segmented based on the location of the Group Policy links. It can be segmented even further by removing the Authenticated Users group from the GPO security filtering, as shown in Figure 5, and replacing it with a custom security group.

Figure 5. Examining GPO security filtering.

When the security filtering of a GPO is configured to apply to a custom security group, only the members of that group, whether users, other groups, or computer objects, will actually apply that particular policy. Last but not least, it is most important to always keep the group membership current; otherwise, the application of Group Policy might be incomplete or incorrect.

GPO WMI Filtering

GPO WMI filtering is a Group Policy concept introduced in Windows XP and Windows Server 2003. A WMI filter is a query that is processed by computer objects only and can be used to include or exclude particular computer objects from applying a GPO that includes the WMI filter. An example of a WMI filter could be a query that includes only computer objects with an operating system version of “6.1*,” which includes all Windows 7 and Windows Server 2008 R2 systems. Of course, it is important to state that WMI filters will not be processed by legacy Windows 2000 or older systems. The security filtering must also meet the criteria for the GPO to be processed. WMI filters work great when the Active Directory hierarchy is relatively flat, but maintaining computer group membership can be tedious.

GPO Status

GPOs are applied to computer and user objects. Within a particular GPO, the settings available are segmented into two distinct nodes, including the Computer Configuration node and the User Configuration node.

Configuring or changing the GPO status, shown in Figure 6, enables administrators to change the GPO as follows:

  • Enabled (Default)

  • User Configuration Settings Disabled

  • Computer Configuration Settings Disabled

  • All Settings Disabled

Figure 6. Examining GPO status.

This function of a GPO can be a very effective tool in troubleshooting GPOs as well as optimizing GPO processing. As an example, if a GPO only contains configured settings in the Computer Configuration node, if any user objects are located in containers linked to that particular GPO, the GPO will still be processed by the user to check for any configured settings. This simple check can add a few seconds to the entire GPO processing time for that user, and if many GPOs are processed, it could increase the logon, logoff, or refresh interval by minutes or more. As a troubleshooting tool, if a user or computer is not receiving the desired end result of a set of applied policies, disabling a node or the entire policy can aid an administrator in identifying the suspect GPO causing the undesired result.

Other -----------------
- Windows Server 2008 R2 : Group Policies and Policy Management - Security Templates
- Windows Server 2008 R2 : Local Group Policies
- Windows Server 2008 R2 : Group Policy Processing—How Does It Work?
- Understanding DNS in Windows Server 2003 Networks
- Understanding Name Resolution in Windows Server 2003
- Windows Server 2008 R2 Administration : Managing Printers with the Print Management Console
- Windows Server 2008 R2 Administration : Managing Users with Local Security and Group Policies (part 3) - Troubleshooting Group Policy Applications
- Windows Server 2008 R2 Administration : Managing Users with Local Security and Group Policies (part 2) - Configuring and Optimizing Group Policy
- Windows Server 2008 R2 Administration : Managing Users with Local Security and Group Policies (part 1) - Viewing Policies with the Group Policy Management Console & Creating New Group Policies
- Windows Server 2008 R2 Administration : Creating Groups
 
 
Video tutorials
- How To Install Windows 8 On VMware Workstation 9

- How To Install Windows 8

- How To Install Windows Server 2012

- How To Disable Windows 8 Metro UI

- How To Change Account Picture In Windows 8

- How To Unlock Administrator Account in Windows 8

- How To Restart, Log Off And Shutdown Windows 8

- How To Login To Skype Using A Microsoft Account

- How To Enable Aero Glass Effect In Windows 8

- How To Disable Windows Update in Windows 8

- How To Disable Windows 8 Metro UI

- How To Add Widgets To Windows 8 Lock Screen
programming4us programming4us
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 windows Phone 7 windows Phone 8
programming4us programming4us
 
Popular keywords
HOW TO Swimlane in Visio Visio sort key Pen and Touch Creating groups in Windows Server Raid in Windows Server Exchange 2010 maintenance Exchange server mail enabled groups Debugging Tools Collaborating
programming4us programming4us
 
programming4us
Women
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone