none
Preferences Item-level targeting of a computer

    Question

  • My question is: With higher-level security filtering using a security group, you remove the Authenticated Users from the scope of the GPO (in the Security Filtering pane of the GPO), and you add the security group you want that GPO to apply to. When you want to 'item-level' target a specific preference item to a specific computer, but the overall GPO is still not in-scope of all computers in the OU to which it is linked, what are the implications for leaving in the Authenticated Users versus still only including the computer/computer group in the Security Filtering scope? (in terms of performance of having all computers have to evaluate the GPO only to 'learn' that they are not targeted in the preference item, etc.).

    The specific example: I would like to use a single GPO to map 4 different drives to 4 different groups of computers. For each drive mapping, I thought I would item-level target the security group of computers that needs to map only that drive. Should I continue to include Authenticated Users in the overall scope of the GPO, or should I remove that and filter the overall GPO on those computers that I'm item-level targeting? Or is this six of one half a dozen of another?

    So maybe the real question is, compare and contrast how a GPO is filtered at the higher Security Filtering level versus the item-targeting level. Maybe.


    Tony Auby


    • Edited by TonyAuby Saturday, April 23, 2016 3:55 PM
    Saturday, April 23, 2016 3:51 PM

Answers

  • Hi Tony,

    The specific example: I would like to use a single GPO to map 4 different drives to 4 different groups of computers. For each drive mapping, I thought I would item-level target the security group of computers that needs to map only that drive. Should I continue to include Authenticated Users in the overall scope of the GPO, or should I remove that and filter the overall GPO on those computers that I'm item-level targeting? Or is this six of one half a dozen of another?

    >>>You could not remove Authenticated Users from overall GPO. Item-level target is used to change the scope of individual preference items based on the Security Filtering.

    For example, there are group A and group B in Users OU. And computer group1, computer group2, computer group3 and computer group4.  You could configure drive map to map J: for group A and map X: drive for group B with item-level targeting. the user of group A will get J: drive and group B will get X: drive after they logon.

     If you configure drive map to map J: for computer group1 and map X: drive for computer group2 with item-level targeting. They will get J: drive when the users, which is member of group A or group B, logon the computer that is member group1. Those users will get X: drive when these user, which is member of group A or group B, logon those computer is member of group2.

    If you remove the Authenticated Users from the overall scope. The policy will not work.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 25, 2016 5:59 AM
    Moderator

All replies

  • Item-level targeting will allow you to use default security settings "Authenticated Users". While using itel-level targeting you'll definitely accomplish your task if you can correctly configure it so that A,B,C,D groups of servers would apply "their" settings.
    Saturday, April 23, 2016 6:52 PM
  • Hi Tony,

    The specific example: I would like to use a single GPO to map 4 different drives to 4 different groups of computers. For each drive mapping, I thought I would item-level target the security group of computers that needs to map only that drive. Should I continue to include Authenticated Users in the overall scope of the GPO, or should I remove that and filter the overall GPO on those computers that I'm item-level targeting? Or is this six of one half a dozen of another?

    >>>You could not remove Authenticated Users from overall GPO. Item-level target is used to change the scope of individual preference items based on the Security Filtering.

    For example, there are group A and group B in Users OU. And computer group1, computer group2, computer group3 and computer group4.  You could configure drive map to map J: for group A and map X: drive for group B with item-level targeting. the user of group A will get J: drive and group B will get X: drive after they logon.

     If you configure drive map to map J: for computer group1 and map X: drive for computer group2 with item-level targeting. They will get J: drive when the users, which is member of group A or group B, logon the computer that is member group1. Those users will get X: drive when these user, which is member of group A or group B, logon those computer is member of group2.

    If you remove the Authenticated Users from the overall scope. The policy will not work.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 25, 2016 5:59 AM
    Moderator