Windows Server 2008 and Windows Vista : Altering Default GPO Processing and Inheritance (part 2) - Security Filtering, WMI Filters, Group Policy Preferences

9/19/2012 6:49:38 PM

Security Filtering

Security filtering is modification of the security permissions on the GPO itself. To receive the settings in a GPO, an object must have both the Read and Apply Group Policy permissions. You configure the permissions to establish security filtering per GPO in the details pane after you have selected the GPO in the Group Policy Management Console (GPMC). To access this security permission list box, follow these steps:

1.	Select the GPO under the Group Policy Objects node in the GPMC.
2.	In the details pane, select the Scope tab.
3.	To add a user or group to the security permission list, click Add in the Security Filtering section. To remove a user or group from the security permission list, click Remove in the Security Filtering section.

Warning

The inclusion of a user account or group account in the Security Filtering section does not mean that a user or computer will receive the settings in the GPO. An object must be both in the scope of management of a GPO and included in the Security Filtering list.

How It Works: Detailed Security Permissions on a GPO

When a user or group is configured with permission in the Security Filtering section of the Scope tab of a GPO, two permissions are actually configured for that object—Read and Apply Group Policy. To see this level of permission, you must use the Advanced permissions view of the GPO. To access the Advanced permissions view, click the Delegation tab, and then click Advanced, which displays the Security Settings dialog box, as shown in Figure 5 . Notice that the Authenticated Users group has both permissions; this is the default setting for all GPOs.

Figure 5. The Security Settings dialog box for a GPO displays the detailed permissions configured for security filtering and delegations.

WMI Filters

Windows Management Instrumentation (WMI) is a management technology that can query a computer to determine one or many attributes of the computer. For example, a WMI query can be created to determine the operating system of a computer or the hard disk space available on a computer hard drive.

A WMI filter consists of one or more queries and is associated with a GPO. The query returns either true or false. If the query returns true, the settings in the GPO where the WMI filter is linked will be applied. If the query returns false, the settings will not apply.

Note

WMI filters are not supported on operating systems earlier than Windows XP.

To configure a WMI filter, you must understand WMI query language. If you want to learn more about WMI query language, refer to the Windows Management Instrumentation Web site at http://msdn2.microsoft.com/en-us/library/aa286547.aspx and the WMI Classes page at http://msdn2.microsoft.com/en-us/library/aa394554.aspx.

To create a WMI filter and link it to a GPO, follow these steps:

1.	In the GPMC, expand the domain name node to expose the WMI Filters node.
2.	Right-click the WMI Filter node, and then click New. The New WMI Filter dialog box appears.
3.	Type a name in the Name box and a description in the Description box for the filter, and then click Add. The WMI Query dialog box appears.
4.	In the WMI Query dialog box, ensure that the namespace is root\CIMv2.
5.	Enter the WMI query in the Query box, and then click OK. Here is an example: Code View: Scroll / Show All Select * from Win32_LogicalDisk where FreeSpace > 104857600 AND Caption = "C:"
6.	Click Save to save the filter and close the New WMI Filter dialog box.
7.	In the GPMC, click the GPO to which you want to link the WMI filter.
8.	Select the Scope tab in the details pane.
9.	From the drop-down list in the WMI Filtering section, click the WMI filter that you just created, as shown previously in Figure 6. Figure 6. WMI Filters are linked to GPOs in the GPMC on the Scope tab in the WMI Filtering section.
10.	A Group Policy Management dialog box appears asking if you want to change the WMI filter to the WMI you have selected. Click Yes.

Group Policy Preferences

The only option that can alter default GPO processing at the GPO setting level is related to Group Policy Preferences settings. The technology that makes this possible is item-level targeting. Item-level targeting allows for one or more decision criteria to be configured to ensure that the settings apply to the correct computers and users. There are over 25 item-level targeting criteria, as shown in Figure 7.

Figure 7. Group Policy Preferences provide item-level targeting to ensure that GPO settings apply to the correct users and computers.

Windows Server 2008 and Windows Vista : Altering Default GPO Processing and Inheritance (part 1) - Block Policy Inheritance, Enforce

Other

Windows Server 2008 and Windows Vista : Group Policy Processing - Version Checking During Updates

Windows 7 : Syncing with Network Files (part 2) - Dealing with Conflict

Windows 7 : Syncing with Network Files (part 1) - Using Sync Center, Settings for offline files

Windows Vista : Deploying Applications - Choosing a Deployment Strategy

Windows Vista : Deploying Applications - Planning Deployment

Windows Server 2003 : Active Directory - Understanding Directory Replication (part 3) - Spanning Trees and Site Links

Windows Server 2003 : Active Directory - Understanding Directory Replication (part 2) - Update Sequence Numbers

Windows Server 2003 : Active Directory - Understanding Directory Replication (part 1) - Time Synchronization, Replication Topologies, Handling Update Conflicts

Windows Server 2003 : Active Directory - Understanding Operations Master Roles

Windows Vista : Customizing Windows PE Boot Images (part 3) - Working with OSCDImg, Working with vLite