none
Limit Group Policy to specific OS

    Question

  • Hi. I'm sure this is a common scenario, but I would like to hear the forum members opinion as to the best way to do this. I have a Domain (currently Server 2003 DC) consisting of Windows 7 and Windows 8.1 workstations. I've created a GPO to control what Windows 8 "modern" apps are available to users, using a PowerShell script. I only want it to run on Windows 8 machines, but I want it to be per user (in other words, I have it set in the user configurations). Do I put all those workstations into a separate OU and link the GPO there, or do I use a wmi filter?

    Thanks!

    Friday, December 26, 2014 5:16 PM

Answers

  • Thanks, Don for your reply. Indeed I am using that setting. I haven't actually tried either way yet, but yes, the idea is to put all the Win 8 machines into their own OU and use Loopback processing (merge). Or I could simply go with a wmi filter. I was wondering what would be the better way to go.

    Hmm, if you go down the WMI Filtering road, you'd need to link the GPO to the OU where your user accounts reside (since it's a \User Configuration\ setting that you're doing).

    Otherwise, put the machines into an OU, link the GPO there, and enable Loopback processing. Replace or Merge is up to you/your requirements, i.e. if you need to override other inherited or linked \User Configuration\ settings..

    Loopback processing can cause other unintended side-effects, to be on the lookout for those, plus, Loopback causes an extended processing time (due to the nature of loopback processing), so if you already have a long-ish processing time / logon time, you might want to consider that.

    An efficient WMI filter might be less-costly (processing-wise).

    Test out both approaches in your environment to see which suits your situation - both are valid approaches.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    • Marked as answer by B Josephs Sunday, December 28, 2014 4:35 PM
    Sunday, December 28, 2014 6:03 AM
  • I was planning on the basic - 

    Select * from win32_operatingsystem where version like 6.2% or version like 6.3%"

    - is there a more efficient way?

    As far as testing, I'm not sure is my laziness caused me to ask, or I was combating laziness by asking... Thanks for your time.

    :)

    less ambiguity = more efficient, e.g. avoid wildcards, don't return properties you don't need, etc

    e.g.: SELECT Version FROM Win32_OperatingSystem where Version = "6.1.7601"

    is more efficient than;

    SELECT * FROM Win32_OperatingSystem where Version LIKE "6.1%"

    Note that WMI Filtering for GP, simply requires a result or a no-result to be returned, for the filter to be valid.
    No point returning 62 properties, each full of values, when all you really care about is that single property/value..


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Sunday, December 28, 2014 8:33 PM

All replies

  • Hi. I'm sure this is a common scenario, but I would like to hear the forum members opinion as to the best way to do this. I have a Domain (currently Server 2003 DC) consisting of Windows 7 and Windows 8.1 workstations. I've created a GPO to control what Windows 8 "modern" apps are available to users, using a PowerShell script. I only want it to run on Windows 8 machines, but I want it to be per user (in other words, I have it set in the user configurations). Do I put all those workstations into a separate OU and link the GPO there, or do I use a wmi filter?

    So you're using \User Configuration\Windows Settings\Scripts(Logon/Logoff)\[Logon]  ??
    But you're linking the GPO to the OU which contains computers not users ?

    If so, are you using Loopback processing?


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Friday, December 26, 2014 8:23 PM
  • Thanks, Don for your reply. Indeed I am using that setting. I haven't actually tried either way yet, but yes, the idea is to put all the Win 8 machines into their own OU and use Loopback processing (merge). Or I could simply go with a wmi filter. I was wondering what would be the better way to go.
    Sunday, December 28, 2014 3:30 AM
  • Thanks, Don for your reply. Indeed I am using that setting. I haven't actually tried either way yet, but yes, the idea is to put all the Win 8 machines into their own OU and use Loopback processing (merge). Or I could simply go with a wmi filter. I was wondering what would be the better way to go.

    Hmm, if you go down the WMI Filtering road, you'd need to link the GPO to the OU where your user accounts reside (since it's a \User Configuration\ setting that you're doing).

    Otherwise, put the machines into an OU, link the GPO there, and enable Loopback processing. Replace or Merge is up to you/your requirements, i.e. if you need to override other inherited or linked \User Configuration\ settings..

    Loopback processing can cause other unintended side-effects, to be on the lookout for those, plus, Loopback causes an extended processing time (due to the nature of loopback processing), so if you already have a long-ish processing time / logon time, you might want to consider that.

    An efficient WMI filter might be less-costly (processing-wise).

    Test out both approaches in your environment to see which suits your situation - both are valid approaches.


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    • Marked as answer by B Josephs Sunday, December 28, 2014 4:35 PM
    Sunday, December 28, 2014 6:03 AM

  • Hmm, if you go down the WMI Filtering road, you'd need to link the GPO to the OU where your user accounts reside (since it's a \User Configuration\ setting that you're doing).

    Understood. That's how things are currently set up. Before I started messing with WMI filters I thought I'd ask if a PC based OU would be more effecient.

    An efficient WMI filter might be less-costly (processing-wise).

    I was planning on the basic - 

    Select * from win32_operatingsystem where version like 6.2% or version like 6.3%"

    - is there a more efficient way?

    As far as testing, I'm not sure is my laziness caused me to ask, or I was combating laziness by asking... Thanks for your time.

    Sunday, December 28, 2014 4:47 PM
  • I was planning on the basic - 

    Select * from win32_operatingsystem where version like 6.2% or version like 6.3%"

    - is there a more efficient way?

    As far as testing, I'm not sure is my laziness caused me to ask, or I was combating laziness by asking... Thanks for your time.

    :)

    less ambiguity = more efficient, e.g. avoid wildcards, don't return properties you don't need, etc

    e.g.: SELECT Version FROM Win32_OperatingSystem where Version = "6.1.7601"

    is more efficient than;

    SELECT * FROM Win32_OperatingSystem where Version LIKE "6.1%"

    Note that WMI Filtering for GP, simply requires a result or a no-result to be returned, for the filter to be valid.
    No point returning 62 properties, each full of values, when all you really care about is that single property/value..


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Sunday, December 28, 2014 8:33 PM
  • Got it. As far as the version number goes, Microsoft themselves used a wildcard to denote the version number, leading me to assume that within one "official" version of windows (i.e. 8, 8.1) there may be multiple extended version numbers. Is this incorrect?                                                                    
    Wednesday, December 31, 2014 2:42 PM
  • As far as the version number goes, Microsoft themselves used a wildcard to denote the version number, leading me to assume that within one "official" version of windows (i.e. 8, 8.1) there may be multiple extended version numbers. Is this incorrect?                                                                    
    There are multiple version numbers, so if you have those GDR/LDR variations to cater for, then you'll need to wildcard that. The numbers might change for various reasons and you won't always know when or why (although it's traditionally a service pack or similar as the trigger for that numbering change)

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Thursday, January 1, 2015 12:21 AM
  • So, I'm assuming that running a lab with the same version across the board and the same maintenance schedule should always keep the same version. I just have to remember to keep an eye on things when there is an upgrade.

    Thanks again.

    Monday, January 5, 2015 3:07 AM
  • To add something on Loopback and WMI filter performance:
     
     
    (Personally, I would never recommend loopback if it's not the "perfect"
    solution for a requirement.)
     
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, January 12, 2015 12:53 PM