none
Create a security group of computers and use that in the delegation section in group policy?

    Question

  • I need to create a group policy to install some software on all computers except for virtual computers.  My idea was to put all virtual computers into a security group called VMs and then use that in the delegation section for group policy and deny them access to the group policy.

    Is this the best route to accomplish what I am trying to do or would something else work better?

    Monday, October 24, 2016 6:53 PM

Answers

  • Hi,
    It seems to be working for me. Here is a step-by-step article to finish this, you could follow it and have a try:
    How to exclude individual users or computers from a Group Policy Object
    http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    And you could also directly put all computers in an OU, except for VMs, then link the GPO to the OU.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 25, 2016 2:01 AM
    Moderator
  • Hello,

    Your idea is valid. You can deny Read or Apply permissions on a group policy for your group of computers and thus ensure they don't get that policy. The downside of this approach, of course, is the manual effort needed to maintain the group membership up to date as you add new computers to your environment.

    There is an alternative path. You can use the WMI filtering, to dynamically filter the virtual computers (if they have some common type of a virtual hardware that you can use to filter them out).

    The third way is to do an update to the AD structure and add separate OUs for physical and virtual computers under your current OU used to host computer objects (assuming that you have one). This way you can link the GPO to the OU that only contains physical computers. Again, this setup requires you to make sure that when new computers are added they are placed into the correct OU. 

    If you often need to distinguish between the physical and virtual computers then I would say that the third way if the preferred one, as it does not introduce any new login during the logon and is easier to trace and understand. If, however, this is a single time task, then any of these ways would be fine.

    /Regards

    Tuesday, October 25, 2016 7:40 AM

All replies

  • Hi,
    It seems to be working for me. Here is a step-by-step article to finish this, you could follow it and have a try:
    How to exclude individual users or computers from a Group Policy Object
    http://www.grouppolicy.biz/2010/05/how-to-exclude-individual-users-or-computers-from-a-group-policy-object/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    And you could also directly put all computers in an OU, except for VMs, then link the GPO to the OU.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 25, 2016 2:01 AM
    Moderator
  • Hello,

    Your idea is valid. You can deny Read or Apply permissions on a group policy for your group of computers and thus ensure they don't get that policy. The downside of this approach, of course, is the manual effort needed to maintain the group membership up to date as you add new computers to your environment.

    There is an alternative path. You can use the WMI filtering, to dynamically filter the virtual computers (if they have some common type of a virtual hardware that you can use to filter them out).

    The third way is to do an update to the AD structure and add separate OUs for physical and virtual computers under your current OU used to host computer objects (assuming that you have one). This way you can link the GPO to the OU that only contains physical computers. Again, this setup requires you to make sure that when new computers are added they are placed into the correct OU. 

    If you often need to distinguish between the physical and virtual computers then I would say that the third way if the preferred one, as it does not introduce any new login during the logon and is easier to trace and understand. If, however, this is a single time task, then any of these ways would be fine.

    /Regards

    Tuesday, October 25, 2016 7:40 AM