nmX.Memnoch Posted January 28, 2007 Posted January 28, 2007 (edited) I've got a question for some of you who have been doing Group Policies far longer than I have.I know I can't apply a GPO directly to a user/group/computer. It has to be applied to an OU. I was looking at some of the settings though and noticed the Security Filtering options and thought "Ok...this could be cool". I've created a custom Domain Controller Security GPO that has both computer and user settings in it. However, of course, the settings aren't enforced because the users don't exist in the Domain Controllers OU so I have to apply the GPO to the OU containing the admin type accounts (they're in a custom OU). The problem I'm faced with is that some of the users in this OU are workstation admins, but not domain admins. The workstations will have different user policies than the DCs/Servers.Using the Security Filtering options can I specify that the GPO should only be applied to the Domain Controllers group, link it to the customer Administrators OU and expect that the user settings will be applied when the user logs on to a DC, but not be applied when they logon to a workstation?EDIT: Well, I tried it running Group Policy Modeling and pretty much figured out that it won't work that way. But I still want to see if anyone has any suggestions... Edited January 28, 2007 by nmX.Memnoch
cluberti Posted January 28, 2007 Posted January 28, 2007 You could do a mixture of security and WMI filtering (security to apply only to those users, and WMI filtering to only apply a specific GPO if the machine is running Server 2003, for instance). It'd require multiple GPOs per user that way, but it does work.
nmX.Memnoch Posted January 28, 2007 Author Posted January 28, 2007 (edited) So basically create a filter with a query something like:root\directory\LDAP; Select * from ads_computer where ADSIPath = "LDAP://CN=servername,OU=Domain Controllers,DC=domainname,DC=local"and apply that WMI Filter to the GPO?I'm not understanding the reason for multiple GPOs though...unless you're talking about one for workstation settings and one for server settings? Edited January 28, 2007 by nmX.Memnoch
cluberti Posted January 28, 2007 Posted January 28, 2007 So basically create a filter with a query something like:root\directory\LDAP; Select * from ads_computer where ADSIPath = "LDAP://CN=servername,OU=Domain Controllers,DC=domainname,DC=local"and apply that WMI Filter to the GPO?I'm not understanding the reason for multiple GPOs though...unless you're talking about one for workstation settings and one for server settings?Basically, yes, multiple policies in an OU for users - otherwise, you'll have to do loopback mode (and I certainly don't suggest that on DCs). Take a look at these technet articles (if you haven't already) on how it might work:http://technet2.microsoft.com/WindowsServe...8b31471033.mspxhttp://technet2.microsoft.com/WindowsServe...514b171033.mspx
nmX.Memnoch Posted January 28, 2007 Author Posted January 28, 2007 (edited) Thanks. I'll give the articles a look tonight when I get back.Unfortunately it's a new DC in a new domain. We're doing the initial setup offsite I don't have any workstations to do some real testing with. The bad thing is that I'm off-offsite (another location) right now connected remotely to configure the GPOs. I guess this is as good a use as any for Virtual PC. Edited January 28, 2007 by nmX.Memnoch
nmX.Memnoch Posted January 29, 2007 Author Posted January 29, 2007 (edited) Woah...Virtual PC is sloooooooooooooow over Remote Desktop. It was almost unbearable until I managed to get the VM Additions installed. The lesson here? Next time just use Virtual Server...Anyway...using the LDAP namespace didn't work. I changed the filter to the "standard" CIMV2 name space and have it doing a check on the Caption value in Win32_OperatingSystem. That appears to have worked. GPRESULT says the GPO is denied by a WMI filter. Doing an OS check is how I originally had the filter but it wasn't working using the Group Policy Modeling Wizard (understandable since it doesn't know what OS the target computer is running if the computer isn't online). That's why I changed it to the LDAP namespace but that also didn't work using the GPMW. That, in turn, is why I wanted to test it against a real OS install.Thanks!!! Edited January 29, 2007 by nmX.Memnoch
cluberti Posted January 29, 2007 Posted January 29, 2007 No problem - what you want to do is a fairly common request, and that's the way I would suggest it be done (via WMI Win32_OperatingSystem).
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now