none
Apply GPO to Workstation but not to Server

    Question

  • Hello,

    I 'am configuring a new environment with Active Directory, File Server etc.  One of the parts is Software deployment via GPO. This is working well, but in our case we several users who have admin rights. These users logon to servers and workstations. In this case a GPO with Software Deployment shouldn't apply to the servers, but when they logon to a workstation the policy should apply.

    Is there a possibility to exclude certain computers from this policy? I tried to add a group with "Deny" (computer as a member) via Delegation, but it seems that the user policy forces the deployment.

    I' am looking forward to the reply's

    Kind regards,

    Michel

    Client computer: Windows 8.1

    Windows Server: 2012 R2

    Tuesday, February 02, 2016 10:23 AM

Answers

  • Hi,
     
    Am 02.02.2016 um 11:23 schrieb Michel Kleine:
    > In this case a GPO with Software Deployment shouldn't apply to the
    > servers, but when they logon to a workstation the policy should
    > apply.
     
    Dispite of my problem with  deploying software by GPO, especially on
    user base: WMI Filter is what you are searching for.
     
    -> ProductType
    Work Station = 1
    Domain Controller = 2
    Server = 3
     
    Get Workstation by WMI:
    select * from win32_operatingsystem where producttype = 1
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    • Marked as answer by Michel Kleine Tuesday, February 02, 2016 10:57 AM
    Tuesday, February 02, 2016 10:37 AM

All replies

  • Hi,
     
    Am 02.02.2016 um 11:23 schrieb Michel Kleine:
    > In this case a GPO with Software Deployment shouldn't apply to the
    > servers, but when they logon to a workstation the policy should
    > apply.
     
    Dispite of my problem with  deploying software by GPO, especially on
    user base: WMI Filter is what you are searching for.
     
    -> ProductType
    Work Station = 1
    Domain Controller = 2
    Server = 3
     
    Get Workstation by WMI:
    select * from win32_operatingsystem where producttype = 1
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    • Marked as answer by Michel Kleine Tuesday, February 02, 2016 10:57 AM
    Tuesday, February 02, 2016 10:37 AM
  • You can use WMI filter to check product type before applying GPO. For example:

    select * from Win32_OperatingSystem where ProductType="1"

    Product type 1 is client OS.

    In any case, I'd also recommend using loopback processing for server policies to make sure that user policies do not affect configuration on servers.


    Gleb.

    Tuesday, February 02, 2016 10:39 AM
  • > Is there a possibility to exclude certain computers from this policy? I
    > tried to add a group with "Deny" (computer as a member) via Delegation,
    > but it seems that the user policy forces the deployment.
     
    1. Assing software in computer GPOs only, not in user GPOs.
    2. Use a WMI filter for the "ProductType" property of the OS.
     
    Servers: SELECT Name FROM Win32_OperatingSystem WHERE ProductType > 1
    Clients: SELECT Name FROM Win32_OperatingSystem WHERE ProductType = 1
     
     
    Tuesday, February 02, 2016 10:40 AM