none
Apply a WS2012 R2 DC GPO to WS2012 R2 DCs only

    Question

  • I have an environment with one Windows 2008 DC and 2 Windows 2012 R2 DCs. I want to apply a "Windows Server 2012 R2 security hardening GPO" and apply ONLY to the Windows 2012 R2 DCs without affecting the Windows 2008 DC so that the winning GPO for the 2012 R2 DCs is "WS2012 R2 DC GPO" while the winning GPO for Windows 2008 DC is "Default Domain Controller GPO".

    Is it possible? How can I achieve this?

    Tuesday, April 11, 2017 11:10 AM

All replies

  • WMI filters on the GPO

    https://technet.microsoft.com/en-us/library/jj899801(v=ws.11).aspx

    select * from Win32_OperatingSystem where Version like "6.3%" and ProductType = "2"


    Tuesday, April 11, 2017 12:45 PM
  • I use the same step.

    1. Create a WMI filter named "Windows Server 2012 R2 DCs" with query same as yours,

    2. Domain Controllers container linked to 2 GPOs:
    Link Order 1: "WS2012 R2 DC GPO"
    Link Order 2: Default Domain Controllers Policy

    3. Click WS2012 R2 DC GPO and under WMI Filtering at the bottom, select "Windows Server 2012 R2 DCs" and click yes.

    4. But when checking GPResult of the Windows Server 2008 R2 DC, it's found the following issues:

    a) There are errors under Component Status: Group Policy Infrastructure failed due to the error below:
    Access Denied.

    b) Nearly all Winning GPO shows "WS2012 R2 DC GPO" instead of "Default Domain Controllers Policy" which I expect.

    What's wrong with that? It's the same even if I reboot the WS 2008 R2 DC.


    • Edited by Eddie Lui Tuesday, April 11, 2017 1:40 PM
    Tuesday, April 11, 2017 1:39 PM
  • > 1. Create a WMI filter named "Windows Server 2012 R2 DCs" with query same as yours,
     
    Which exact query did you use?
     
    Tuesday, April 11, 2017 2:00 PM
  • Namespace=root\CIMv2

    Query is:

    select * from Win32_OperatingSystem WHERE Version like "6.3%" AND ProductType="2"

    Wednesday, April 12, 2017 2:54 AM
  • > a) There are errors under Component Status: Group Policy Infrastructure failed due to the error below:
    > Access Denied.
     
    Check the group policy eventlog for related events. Seems you partially screwed your AD...
     
    Wednesday, April 12, 2017 9:21 AM
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, April 18, 2017 2:48 PM
    Moderator