You're correct in that #1 is sloppy, but it is really the only way to do it unless you go to Windows XP/2003. Keep in mind that it is not just the domain functional level that prevents you from utilizing WMI filters. Windows 2000 completely ignores them even if your domain is 2003. So unless you upgrade everything, you're stuck with that option. Upgrading may/may not be cost effective for your organization, however keep in mind that you should have started phasing out Windows 2000 a long time ago. Depending on how many 2000 systems you have, you could put them all in security group and use it to deny application of the GPO (via security filtering) as long as that particular GPO applying to Windows 2000 was not absolutely critical. If that is the case you can use the following filter to differentiate between servers/workstations: All Workstations -> SELECT FROM Win32_ComputerSystems WHERE DomainRole < 2 All Servers -> SELECT FROM Win32_ComputerSystems WHERE DomainRole > 1 I've never used it, but you can also look at the following solution to employ WMI Filtering for Windows 2000 via alternate means. http://www.mml.ru/WMIF2K/ Regards, Jamie Nelson -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Johnson, Matthew Sent: Monday, October 15, 2007 4:06 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Group Policy Scoping Our Domain structure is setup so that we have many departmental OU's and one OU for Servers. Each Dept. OU contains one OU for Computers and one for Users. We have GPOs linked to the root domain that apply to both workstations and servers, but want to setup additional GPOs that apply to just servers or just workstations. GPOs for just Servers are easy because we can link them to the Server OU. The problem occurs when we want to apply a GPO to just workstations. We are running a Windows 2000 mixed domain function level so we cannot use WMI filtering to specify what OS. Here is what I've thought of so far. 1) We could link the GPO to every Dept. OU but there is quite a few and that seems sloppy and harder to manage. 2) We could Block Inheritance on my Servers OU and link the workstation GPOs to the root domain. But then I would have to link the common GPOs (GPOs that I want to apply to both servers and workstations) to the Server OU also. 3) We could just bite the bullet and upgrade to Windows 2003 domain function level to enable WMI filtering Does anyone have any suggestions? How is everyone else doing this? Thanks for any help. Matthew Johnson mjohnson@xxxxxxxx CONFIDENTIALITY STATEMENT: This electronic message contains information from Fisher-Titus Medical Center and may be protected health information or other confidential and privileged information under law. The information is intended to be for the use of the individual or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this message is prohibited. If you have received this electronic message in error, please notify the sender immediately by reply e-mail or telephone at 419/668-8101. *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************