3. Managing GPO Status
GPO status controls whether the entire GPO is
enabled, disabled, or if only the Computer Configuration or User
Configuration node is enabled. GPO status is applied to the GPO itself,
so all links will be affected by any changes to the GPO status. To view
or modify the status of a GPO, follow these steps:
1. Log on to a designated Windows Server 2012 administrative system.
2. Open the Group Policy Management Console.
3. Expand the domain to expose the Group Policy Objects container and expand it.
4. Select the desired GPO and select the Details tab in the right pane.
5. On the Details tab, in the GPO Status drop-down menu, note the current status of the GPO.
6. If the GPO status needs to be changed, click the drop-down arrow and select one of the following options:
• Enabled
• User Configuration Settings Disabled
• Computer Configuration Settings Disabled
• All Settings Disabled
7. After you select the desired GPO status, a confirmation window opens. click OK to complete the status change.
4. Managing GPO Security Filtering
Managing security filtering is one of the
best ways to target a specific group of users and computers for GPO
application. Security filtering can be set to a specific user,
computer, or security group object or a combination of all three object
types. To change the security filtering of a GPO from the default of
Authenticated Users, follow these steps:
1. Log on to a designated Windows Server 2012 administrative system.
2. Open the Group Policy Management Console.
3. Expand the domain to expose the Group Policy Objects container and expand it.
4. Select the desired GPO and select the Scope tab in the right pane.
5. In the Security Filtering section of the Scope tab, select the Authenticated Users group, and click the Remove button.
6. Click OK in the confirmation dialog box to remove the security group from the GPO security filtering.
7. In the Security
Filtering section of the Scope tab, click the Add button to add an
Active Directory object to the security filter for the GPO.
8. Type in the name of the user or security group that will be applied to the GPO security filtering, and click OK.
9. If multiple objects need to be added, repeat this process until all the objects are added to the security filter.
10. If a
specific computer object needs to be added, in the Select Users and
Group window, click the Object Types button, check the Computers
object, and click OK. Type the computer object name or browse for the
object, and then click OK.
5. Creating and Linking WMI Filters to GPOs
When applying security filtering to a GPO is
not granular enough to target a specific set of computers, a WMI filter
can be linked to the GPO. For this example, we will create a WMI filter
that includes a computer with an OS name of Windows 8. To create the
example WMI filter, follow these steps:
1. Log on to a designated Windows Server 2012 administrative system.
2. Open the Group Policy Management Console.
3. Expand the domain and select the WMI Filters container.
4. Right-click the WMI Filters container and select New.
5. In the Name section, type in Windows 8 WMI Filter.
6. In the Description section, type in WMI filter to include only Windows 8 workstations.
7. Click the Add button to create the WMI filter query.
8. In the Query section, type Select * from Win32_OperatingSystem Where (Name LIKE “%Windows 8%”) to show a GPO WMI filter similar to the one shown in Figure 1.
Figure 1. Creating a Windows 8 WMI GPO filter.
9. Click OK to save the query and return to the WMI Filter window.
10. Click Save to create the WMI filter in the domain.