Filtering Group Policy Settings

If you’re already familiar with using Group Policy Objects in Active Directory environments, then you no doubt already know that GPOs can only be applied to 3 types of objects – sites, domains, and organizational units. You cannot apply a GPO to a user account object, nor to a security group.

While the rules are the rules, there are ways to “filter” GPOs for a more granular level of control over whom (or what) they actually apply to. For example, the Security tab in the Properties of a GPO dictates the permissions that users and groups have to a GPO. Any objects to which the Read and Apply Group Policy permissions are allowed will have the policy settings applied to them.

So, let’s say that you have a GPO that you want to apply to all user accounts in a particular OU, except for 2 specific users. You would create the policy, apply it to the OU, and then set the permissions on the GPO such that these 2 users are denied the Apply Group Policy permission. The policy’s settings will then apply to all other users in the OU, but not impact your 2 special-case users. This permission filtering method can be used with both Windows 2000 and Windows Server 2003 forests.

While filtering by permissions certainly gives you more flexibility over how policies are applied, an even more powerful alternative exists. In Windows Server 2003, you can also filter the objects to which Group Policy settings apply by using what it known as a WMI Filter. If you open the properties of a GPO and click the WMI Filter tab, you can then select or define your filter settings.

Of course, you’re going to need to know a little about WMI to create your filters, but the documentation is out there. Here’s a great example of how WMI filters can be used, compliments of Alan Finn:

WMI filters are configured by defining both the namespace and a WMI query. The following examples are formatted with the appropriate namespace listed first, followed by the WMI query that defines the filter:

1. Applies only to machines with the KB890175 hotfix installed:

root\CIMV2; SELECT * FROM Win32_QuickFixEngineering WHERE HotFixID = ‘KB890175’

2. Might be used on machines to launch a removal package for iTunes:

root\CIMV2; SELECT * FROM Win32_StartupComman WHERE Name = ‘iTunesHelper’

3. Can be used to filter machines with more than 256MB of RAM installed:

root\CIMV2; SELECT * FROM Win32_LogicalMemoryConfiguration WHERE TotalPhysicalMemory > 256000

4. A filter for XP machines with SP 2 installed:

(“root\CIMV2; SELECT * FROM Win32_OperatingSystem WHERE Caption = ‘Microsoft Windows XP Professional’ AND TargetInstance.CSDVersion = ‘Service Pack 2′”)

So, the next time that someone tells you that “you can’t do that with Group Policy”, you might want to dig a little deeper for the truth. With even a basic knowledge of WMI, you can filter your policies on just about any settings imaginable.

Tip provided by Dan DiNicolo and Alan Finn

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of 2000Trainers.com. He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.