[nmX.Memnoch]

I've got a question for some of you who have been doing Group Policies far longer than I have.

I know I can't apply a GPO directly to a user/group/computer. It has to be applied to an OU. I was looking at some of the settings though and noticed the Security Filtering options and thought "Ok...this could be cool". I've created a custom Domain Controller Security GPO that has both computer and user settings in it. However, of course, the settings aren't enforced because the users don't exist in the Domain Controllers OU so I have to apply the GPO to the OU containing the admin type accounts (they're in a custom OU). The problem I'm faced with is that some of the users in this OU are workstation admins, but not domain admins. The workstations will have different user policies than the DCs/Servers.

Using the Security Filtering options can I specify that the GPO should only be applied to the Domain Controllers group, link it to the customer Administrators OU and expect that the user settings will be applied when the user logs on to a DC, but not be applied when they logon to a workstation?


EDIT: Well, I tried it running Group Policy Modeling and pretty much figured out that it won't work that way. But I still want to see if anyone has any suggestions...

This post has been edited by nmX.Memnoch: 28 January 2007 - 02:59 AM

[cluberti]

You could do a mixture of security and WMI filtering (security to apply only to those users, and WMI filtering to only apply a specific GPO if the machine is running Server 2003, for instance). It'd require multiple GPOs per user that way, but it does work.

[nmX.Memnoch]

So basically create a filter with a query something like:

root\directory\LDAP; Select * from ads_computer where ADSIPath = "LDAP://CN=servername,OU=Domain Controllers,DC=domainname,DC=local"

and apply that WMI Filter to the GPO?


I'm not understanding the reason for multiple GPOs though...unless you're talking about one for workstation settings and one for server settings?

This post has been edited by nmX.Memnoch: 28 January 2007 - 02:08 PM

[cluberti]

nmX.Memnoch, on Jan 28 2007, 01:37 PM, said:

So basically create a filter with a query something like:

root\directory\LDAP; Select * from ads_computer where ADSIPath = "LDAP://CN=servername,OU=Domain Controllers,DC=domainname,DC=local"

and apply that WMI Filter to the GPO?


I'm not understanding the reason for multiple GPOs though...unless you're talking about one for workstation settings and one for server settings?

Basically, yes, multiple policies in an OU for users - otherwise, you'll have to do loopback mode (and I certainly don't suggest that on DCs). Take a look at these technet articles (if you haven't already) on how it might work:
http://technet2.microsoft.com/WindowsServe...8b31471033.mspx
http://technet2.microsoft.com/WindowsServe...514b171033.mspx

[nmX.Memnoch]

Thanks. I'll give the articles a look tonight when I get back.

Unfortunately it's a new DC in a new domain. We're doing the initial setup offsite I don't have any workstations to do some real testing with. The bad thing is that I'm off-offsite (another location) right now connected remotely to configure the GPOs. I guess this is as good a use as any for Virtual PC.

This post has been edited by nmX.Memnoch: 28 January 2007 - 04:13 PM

[cluberti]

I'd say yes .

[nmX.Memnoch]

Woah...Virtual PC is sloooooooooooooow over Remote Desktop. It was almost unbearable until I managed to get the VM Additions installed. The lesson here? Next time just use Virtual Server...

Anyway...using the LDAP namespace didn't work. I changed the filter to the "standard" CIMV2 name space and have it doing a check on the Caption value in Win32_OperatingSystem. That appears to have worked. GPRESULT says the GPO is denied by a WMI filter.

Doing an OS check is how I originally had the filter but it wasn't working using the Group Policy Modeling Wizard (understandable since it doesn't know what OS the target computer is running if the computer isn't online). That's why I changed it to the LDAP namespace but that also didn't work using the GPMW. That, in turn, is why I wanted to test it against a real OS install.

Thanks!!!

This post has been edited by nmX.Memnoch: 29 January 2007 - 09:12 AM

[cluberti]

No problem - what you want to do is a fairly common request, and that's the way I would suggest it be done (via WMI Win32_OperatingSystem).