[gptalk] Re: Group Policy Scoping

  • From: "Nelson, Jamie R Contr 72 CS/SCBAF" <Jamie.Nelson.ctr@xxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 15 Oct 2007 16:38:43 -0500

You're correct in that #1 is sloppy, but it is really the only way to do
it unless you go to Windows XP/2003. Keep in mind that it is not just
the domain functional level that prevents you from utilizing WMI
filters. Windows 2000 completely ignores them even if your domain is
2003. So unless you upgrade everything, you're stuck with that option.
Upgrading may/may not be cost effective for your organization, however
keep in mind that you should have started phasing out Windows 2000 a
long time ago.

Depending on how many 2000 systems you have, you could put them all in
security group and use it to deny application of the GPO (via security
filtering) as long as that particular GPO applying to Windows 2000 was
not absolutely critical. If that is the case you can use the following
filter to differentiate between servers/workstations:

All Workstations -> SELECT FROM Win32_ComputerSystems WHERE DomainRole <
All Servers -> SELECT FROM Win32_ComputerSystems WHERE DomainRole > 1

I've never used it, but you can also look at the following solution to
employ WMI Filtering for Windows 2000 via alternate means.


Jamie Nelson

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Johnson, Matthew
Sent: Monday, October 15, 2007 4:06 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Group Policy Scoping

Our Domain structure is setup so that we have many departmental OU's and
one OU for Servers.  Each Dept. OU contains one OU for Computers and one
for Users.


We have GPOs linked to the root domain that apply to both workstations
and servers, but want to setup additional GPOs that apply to just
servers or just workstations.  GPOs for just Servers are easy because we
can link them to the Server OU.  The problem occurs when we want to
apply a GPO to just workstations.  We are running a Windows 2000 mixed
domain function level so we cannot use WMI filtering to specify what OS.


Here is what I've thought of so far.

1)      We could link the GPO to every Dept. OU but there is quite a few
and that seems sloppy and harder to manage.

2)      We could Block Inheritance on my Servers OU and link the
workstation GPOs to the root domain.  But then I would have to link the
common GPOs (GPOs that I want to apply to both servers and workstations)
to the Server OU also.

3)      We could just bite the bullet and upgrade to Windows 2003 domain
function level to enable WMI filtering


Does anyone have any suggestions?  How is everyone else doing this?


Thanks for any help.


Matthew Johnson


CONFIDENTIALITY STATEMENT: This electronic message contains information
from Fisher-Titus Medical Center and may be protected health information
or other confidential and privileged information under law.  The
information is intended to be for the use of the individual or entity
named above.  If you are not the intended recipient, be aware that any
disclosure, copying, distribution or use of the contents of this message
is prohibited. If you have received this electronic message in error,
please notify the sender immediately by reply e-mail or telephone at

You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/

Other related posts: