GPO Filtering/Logic help


  • I'm trying to reduce the number of policies I have to maintain (who isn't I guess...) and I'm starting a new project that seems nightmarish and am looking for the best solution (maybe it's not even GPO). I have 4 different kinds of workstations at a location, used for various things. Each kind needs it's own Admin Group in the administrators group based on location (E.G. NYC1 NYC2 NYC3 or NYC4, based on the first letter of the computer name A,B,C,D) So is powershell my best bet, or can I bake logic into the GPO that says if the computer name contains NYC and the first letter of the name is C, then NYC3 group gets assigned as the local administrator. (BTW I'm the powershell guy, I KNOW I can write a script to do this, just checking to see if GPO could do it instead)

    I know that this level of granularity, no matter how you dice it, is going to be a pain to support, but it's what the customer needs, and I'm just trying to work with my GPO guy to find the best and most secure solution for this.

    Thursday, March 23, 2017 12:06 AM

All replies

  • Hi,

    To achieve your goal, you could user security filtering in group policy.

    For example, there are five computers A1, A2, A3, B1 and B2. They are same computer OU. You want A1, A2 and A3 apply one group policy, B1 and B2 apply another group policy.

    You could create two computer groups (computer A group and computer B group), adding A1, A2 and A3 computers to computer A group and adding B1 and B2 to computer B group.

    Create two GPOs (computer A GPO and computer B GPO) link to the computer OU. Configuring group policy settings in the computer A GPO, which will apply to computer A1, A2 and A3. Then removing Authenticated Users from security filtering in computer A GPO, and add computer A group to the security filtering. Doing the same actions for computer B GPO.

    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Thursday, March 23, 2017 7:17 AM
  • > BTW I'm the powershell guy, I KNOW I can write a script to do this, just checking to see if GPO could do it instead
    Congrats :-)
    You can use GPP Local users and groups, there do item level targeting for computername "C*NY*" (yes, this filtering supports multiple wildcards).
    Thursday, March 23, 2017 2:49 PM