I find that many administrators lack the time to use more technologies that are available to them due to their busy routines. With that said, I wanted to ensure that more sophisticated solutions, such as one posted recently by another Group Policy MVP (and good friend), Darren Mar-Elia, could be leveraged by everyone. In this article, I will give the background requirements and steps required to take full advantage of the powerful solution that Darren provides in his article, which is listed below. In a nut shell, there is an amazing technology built into Group Policy Preferences called Item-Level-Targeting (ILT). The options in ILT provide very granular control of how policy settings are deployed to targets based on a dynamic inquiry of the target before the policy is applied. The only limitation with ILT is that it is only valid for Group Policy Preferences, and not for any of the other (often referred to as legacy) Group Policy settings. Using a combination of technologies including WMI queries, you can tag laptops, desktops, tablets, OS versions running, applications present, etc., and then deploy other Group Policy settings to ONLY those computers that you desire, based on the tag.
Leveraging Group Policy Preferences
In order to take advantage of Group Policy Preferences, you need to ensure that you have all of the correct components in place. There are two portions of a Group Policy extension, such as Group Policy Preferences, which need to be in place before you can leverage the technology.
First, you must have the correct Group Policy Editor available to you. The Group Policy Editor is not a standalone tool, but is rather a tool that comes with the Group Policy Management Console (GPMC). There are two versions of the GPMC available and you need to obtain the latest and greatest one. The older GPMC runs on Windows XP, Windows Server 2003, and Windows Vista (pre-SP1). This GPMC will not work for what you need to accomplish with setting up Group Policy Preferences. The version that you want will run on Windows Vista SP1 (and greater), Windows Server 2008, Windows 7, and Windows Server 2008 R2. The GPMC comes with the server OS, but you will need to download the RSAT (Remote Server Administrative Tools) to get the GPMC to run on a desktop computer.
In order to get the RSAT and GPMC running, go here.
Second, you need to ensure the Client Side Extension (CSE) for Group Policy Preferences is installed. Refer to Table 1 for support of the Group Policy Preference CSE.
Installed by Default
Where to Obtain CSE
N/A (does not work on 2000)
Windows Server 2003
Windows Vista / SP1
Windows Server 2008
Windows Server 2008 R2
Table 1: CSE matrix for Group Policy Preferences
Tagging Computers Using Group Policy Preferences Environment Policy
Now that you have Group Policy Preferences ready to go, you just need to configure the correct policy to tag your computers. Tagging of computers will be done by placing an environment variable in Group Policy Preferences. You can find this setting under Computer Configuration\Preferences\Windows settings\Environment, as shown in Figure 1.
Figure 1: Environment policy in Group Policy Editor.
In order to configure the policy, right-click the Environment node and select New – Environment Variable. This will launch the New Environment Properties dialog box, as shown in Figure 2.
Figure 2: New Environment Properties dialog box.
You can leave the default settings, just type in a Name and Value for your new variable. For example, you can tag all computers that are running Windows 7 32-bit. This might be a variable name such as, WindowsOS and give it a Value of Windows7_32.
The variable name and value are just the first step in tagging your computer. The second step is to “target” the Windows 7 32-bit computers with an ILT. ILT is a function of every Group Policy Preference and is found under the Common tab of the Properties dialog box. Once on the Common tab, you will just click on the Item-level targeting check box, and then click on the Targeting button, as shown in Figure 3.
Figure 3: Item-level targeting is configured on the Common tab of each Group Policy Preference policy.
Click the Targeting button to load the Targeting Editor. The Targeting Editor allows you to define (tag) which computers will receive your variable. Since we have made a simple selection of only Windows 7 32-bit computers, we will just select this criterion. To select this criterion, click New Item, then select the Operating System. Since there are multiple Windows 7 32-bit versions, in our example we select all 32-bit versions as shown in Figure 4.
Figure 4: ILT which defines that we are targeting all Windows 7 32-bit versions.
You can see in Figure 4 that there are also 64-bit versions of Windows 7, but we have not selected these. The top pane of Figure 4 clearly shows that all 3 Windows 7 32-bit versions have been selected, but no 64-bit versions. Also be sure to make each entry an “OR”, by changing the default “AND” to an “OR” by using the Item Options feature.
To verify that this variable is now configured on your Windows 7 computers after Group Policy refreshes, you can use the System Information tool, which is shown in Figure 5.
Figure 5: System Information tool shows you the current environment variables.
Leveraging Environment Variable Using Legacy Group Policy Settings
Now, that our Windows 7 32-bit computer has a variable configured we can use a WMI filter to query the variable, then apply an older (non ILT supported) policy to only these computers which have the WindowsOS variable set to Windows7_32.
First, we need to create a WMI filter. This is an easy task and can be accomplished by right-clicking on the WMI Filters node in the GPMC and selecting New. Then type the following text and give your WMI filter a name (the result is shown in Figure 6).
Select * FROM Win32_Environment WHERE Name=’WindowsOS’ AND VariableValue=’Windows7_32’
Figure 6: WMI Filter to query the WindowsOS variable looking for a value of Windows7_32.
Be sure to type the string directly into the GUI for the filter, as copying and pasting from Notepad or other will cause problems.
Linking WMI Filter to GPO
Now, that we have our WMI Filter created, we simply need to link it to a GPO within the GPMC. Of course, the key is that the filter will restrict which computers the settings in the GPO will apply to. To link the WMI filter to the GPO, you will need to be in the GPMC and have the GPO you are working with highlighted. Then click on the WMI Filtering drop down list, which is on the right pane. You should see the WMI filter you created above. Select it and you are done.
Final Note on Application of the GPO using WMI Filters
Some GPO settings take a few “reboots” to see the result. For this setting, you will need to have the WMI filter apply, which is for the computer. Then you need the setting to “show up” for when a user logs in. This might take a reboot and then a user needs to log off and back on. In the end, if you have the computer in the correct OU, the GPO linked to that OU, the correct syntax for the WMI filter, and the filter linked to the GPO… you will see the result you desire!
Also, you can use WMI to query for 32 vs 64 bit computers, but the key here is that I am showing you how to leverage “tagging” a system, which can be used for nearly any of the ILT options. OS seemed to make the most sense for the example.
Although these steps are not at all that complicated, there are many moving parts. If you follow these steps and guidelines, you will be able to leverage the new ILT settings in Group Policy Preferences with the older GPO settings. Nearly any setting that is listed under the Software Settings, Windows Settings, and Administrative Templates can be used with this type of control using a WMI Filter. Give it a shot and see how you can leverage new technology with old settings. Darren’s original blog post is found here, where you can get even more examples on how to leverage this technology.