none
custom filter on OU ??

    Question

  • Is there a way for the GPO to NOT apply to machines in an OU if those machines have a certain registry entry? If so how?

    mqh7

    Thursday, February 26, 2015 11:52 PM

Answers

  • > Is there a way for the GPO to *NOT* apply to machines in an OU if those
    > machines have a certain registry entry? If so how?
     
    Not "OOB" - WMI has no namespace for registry values. It only offers a
    provider with methods, and you cannot call methods in a WMI filter :)
     
    There are 2 possible workarounds:
     
    a) do you require a WHOLE GPO or just some settings to be not applied?
    If the latter one, you can use Group Policy Preferences Registry with
    Item Level Targeting for registry keys and values.
     
    b) if you require the WHOLE GPO to not apply, you need to create your
    own MOF file that offers the matching registry values as properties.
    SCCM uses this for its hardware inventory - see
    brief introduction and a MOF sample.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Friday, February 27, 2015 11:04 AM
  • > If this reg key equals "1" then DO NOT have a Log Off option on the
    > Start Button.   The rest of the GPO would apply to all systems in the OU.
     
    Ok, here we are: First, have a look at
    sound related, but explains the technology used.
     
    Then identify the registry value that's responsible for "do not display
     
    Then deploy these registry values and set them to the ILT filtered value
    of your application (you can use temporary environment variables to
    store registry values found in ILT, and you can use these as the content
    of the value you are configuring).
     
    Or create 2 registry items, one "1" if your value is 1, the other "0"
    (or action "delete" - doesn't matter) if your value is 0 or not present.
     
    The key to this is, that the system doesn't care which technology
    populates Policy registry values - either ADM templates can do,
    alternately GPP Registry can do. Or a startup script. Or SCCM. Or
    fairies and dwarfs :)
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Friday, February 27, 2015 2:56 PM
  • Thanks for the help.  I still don't fully understand ILT.    I've read about it but I still don't see and understand how it can apply to certain machines and I still don't see the relationship of ILT settings to target machines.   So I solved this in a way that made sense to me.   I wrote a PowerShell script and kicked that off via the Login section of my GPO.  It checks for the reg value I want and if present then disable the Log Off on the start menu.  yes, it does require the user to log off and back on to take effect but that happens often enough in our environment that its ok.


    mqh7

    Tuesday, March 03, 2015 2:35 PM

All replies

  • WMI Based ?

    Refer : https://social.technet.microsoft.com/Forums/windowsserver/en-US/5cd1b80a-2f90-4d46-bf65-dba52dcf0c56/how-to-make-wmifilter-that-looks-for-a-registrykey-or-filefolder?forum=winserverGP


    Arnav Sharma | http://arnavsharma.net/ Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, February 27, 2015 1:10 AM
  • > Is there a way for the GPO to *NOT* apply to machines in an OU if those
    > machines have a certain registry entry? If so how?
     
    Not "OOB" - WMI has no namespace for registry values. It only offers a
    provider with methods, and you cannot call methods in a WMI filter :)
     
    There are 2 possible workarounds:
     
    a) do you require a WHOLE GPO or just some settings to be not applied?
    If the latter one, you can use Group Policy Preferences Registry with
    Item Level Targeting for registry keys and values.
     
    b) if you require the WHOLE GPO to not apply, you need to create your
    own MOF file that offers the matching registry values as properties.
    SCCM uses this for its hardware inventory - see
    brief introduction and a MOF sample.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Friday, February 27, 2015 11:04 AM
  • Martin,  it is A) from above.   We have a single sign on software installed in our environment. This SSO software has two "types". Type 1 is for a standalone user. Type 2 is for a shared or kiosk machine.  The difference between the two types is 1 registry entry. If this key equals 1 it is a Type 1. if it equals 2 it is a Type 2.    I want to do this.

    If this reg key equals "1" then DO NOT have a Log Off option on the Start Button.   The rest of the GPO would apply to all systems in the OU.

    So using Item Level Targeting how is this done?   I've Googled this a bit and found some good articles but you seem to know GPOs at a deep level so I'd love to hear your method.

    Thank you. 

     

    mqh7

    Friday, February 27, 2015 2:09 PM
  • Could you move the shared/kiosk systems into their own organizational unit and link the policy there? That's the cleaner option if you can do it. If you have to link the policy above systems that don't need it, they will still evaluate the filtering mechanism and you may see a significant impact on policy processing time, depending on the filter.

    born to learn!

    Friday, February 27, 2015 2:39 PM
  • We really want to avoid moving these machines into their own OU. you'd have to see our naming convention and OU structure to fully understand why.   So I wanted to know if the item level targeting would work.


    mqh7

    Friday, February 27, 2015 2:47 PM
  • > If this reg key equals "1" then DO NOT have a Log Off option on the
    > Start Button.   The rest of the GPO would apply to all systems in the OU.
     
    Ok, here we are: First, have a look at
    sound related, but explains the technology used.
     
    Then identify the registry value that's responsible for "do not display
     
    Then deploy these registry values and set them to the ILT filtered value
    of your application (you can use temporary environment variables to
    store registry values found in ILT, and you can use these as the content
    of the value you are configuring).
     
    Or create 2 registry items, one "1" if your value is 1, the other "0"
    (or action "delete" - doesn't matter) if your value is 0 or not present.
     
    The key to this is, that the system doesn't care which technology
    populates Policy registry values - either ADM templates can do,
    alternately GPP Registry can do. Or a startup script. Or SCCM. Or
    fairies and dwarfs :)
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Friday, February 27, 2015 2:56 PM
  • Roger that. Best of luck to you.

    born to learn!

    Friday, February 27, 2015 4:46 PM
  • As an alternative, instead of applying the GPO to an OU, apply it to a security group instead? That way you can put the machine that should get that GPO in that group and leave the others out.

    We use similar methods to control when servers should be updated after installing patches. We have some restarting at 8am and others at 9pm to prevent the whole environment restarting at the same time and they all live in the same OU.

    Friday, February 27, 2015 5:01 PM
  • Thanks for the help.  I still don't fully understand ILT.    I've read about it but I still don't see and understand how it can apply to certain machines and I still don't see the relationship of ILT settings to target machines.   So I solved this in a way that made sense to me.   I wrote a PowerShell script and kicked that off via the Login section of my GPO.  It checks for the reg value I want and if present then disable the Log Off on the start menu.  yes, it does require the user to log off and back on to take effect but that happens often enough in our environment that its ok.


    mqh7

    Tuesday, March 03, 2015 2:35 PM