Group Policy Preferences: Top 5 Item-Level Targeting Options
Technology can sometimes sneak up on you. Group Policy Preferences are a technology that has been around since 2000 (previously known as Desktop Standard Policy Maker) and incorporated in Windows Group Policy since 2007. However, I still find that the majority of Windows Active Directory and Group Policy administrators are not fully aware of the capabilities and functionality that Group Policy Preferences provide. Specifically, item-level targeting is a technology that many are not aware of, and if they are aware of it, they are not fully aware of how the technology works. Here, I am going to give you a listing of the top 5 Item-level Targeting options.
Location of ILT within GPP
ILT within GPP is referred to as a Common function… or at least is listed on that tab within a GPP. Remember, GPP is a suite of settings that sit under both the Computer Configuration and User Configuration portions within a GPO. If you pick any of the GPP settings, you will be able to configure an ILT to coincide with it.
To show you how to get to ILT, refer to Figure 1.
Figure 1: ILT check box and Configure button for a GPP.
ILT is not configured for any GPP settings by default. Also, ILT is not available for the entire GPO, just the settings that sit in the GPO. The main reason for this is the fact that the GPO itself might have other settings within it, which don’t understand ILT. (Only the GPP settings within a GPO understand ILT, the traditional settings that have been in the OS since 2000 don’t understand ILT.)
ILT is a game changer! There is no doubt about that. Looking at the ILT options opens up a whole new way of controlling which settings within the GPP apply to a computer… dynamically. The full list of ILT options can be seen in Figure 2.
Figure 2: ILT options for GPP.
The full list of ILT options includes those in Table 1.
ILT Option Setting
Battery Present Targeting
Computer Name Targeting
CPU Speed Targeting
Date Match Targeting
Disk Space Targeting
Environment Variable Targeting
File Match Targeting
IP Address Range Targeting
LDAP Query Targeting
MAC Address Range Targeting
MSI Query Targeting
Network Connection Targeting
Operating System Targeting
Organizational Unit Targeting
PCMCIA Present Targeting
Portable Computer Targeting
Processing Mode Targeting
Registry Match Targeting
Security Group Targeting
Terminal Session Targeting
Time Range Targeting
WMI Query Targeting
Table 1: ILT options for GPP
ILT Setting #1
Security Group – This option allows you to pick any Windows Active Directory security group (domain local, global, or universal) to use as a target.
Function – If the object that you are targeting (user or computer) is located in the security group listed, then the GPP setting will be applied. Since the group membership of the target object is based on the current session, the security group dynamic nature is limited to computers restarting/starting on and users logging off and back on… or just logging on initially.
Ideal GPP settings – This ILT option is one of the most flexible and useful of all ILT settings. Since this target focuses on group membership, it is typically used for the user environment such as shortcuts, Environment, Files, Network shares, Schedule Tasks, data sources, drive mappings, printers, and IE settings.
ILT Setting #2
IP Address Range – This setting is ideal for those organizations that want to utilize the work they have put into their network topology. Since IP address range is completely different than anything else in Active Directory (similar to sites, but still different), it provides another layer of control beyond what normal AD/GPO provides.
Function – If the current IP address of the target falls within the range specified, then the GPP setting will be applied. The key here is that this setting is dynamic, as the mobile device moves from one environment to another. With the IP address being a required setting to have the device function, it is ideal for dynamic configurations.
Ideal GPP settings – Since this setting controls which network the device is on, it is also ideal to control network/location aware settings. Some GPP settings would include Mapped drives, printers, shortcuts, Registry settings, Environment, Network shares, Schedule Tasks, data sources, and IE settings.
ILT Setting #3
Organizational unit – This setting is very powerful, as it allows for the GPO to be linked to the top of the Active Directory domain structure, and then only apply to objects that are within a specified location within an OU. This setting also allows for control over settings to be applied based on the OU structure design.
Function – If the user or computer resides in the OU which is configured by the ILT, the GPP setting will apply. As mentioned, this is ideal for ensuring that settings apply based on how the original/current OU design is structured. Without this option and control, the GPP setting would need to be integrated into the existing OU design structure, so that it only applied to the objects within the scope of where the GPO is linked.
Ideal GPP settings – This ILT setting is ideal for managing settings that need to be distributed to only certain users and computers within the organization, that might not be grouped into security groups together. This might be Registry settings, mapped drives, and printers.
ILT Setting #4
Registry Match – This setting is very flexible and can do things that no other ILT can do. Since nearly everything is written to the Registry in some way, this setting allows you to target a Registry entry, and then perform an action on it being there.
Function – If the Registry entry that you specify is existent (plus there are other toggles), then the GPP setting will be applied. With there, being a Registry GPP you can really do some damage in the Registry with this setting.
Ideal GPP settings – My favorite settings with this ILT option is to set drive mappings or printer mappings, however you can do nearly anything with it. You can use the Mapped drives, shortcuts, Registry settings, Environment, Network shares, Schedule Tasks, data sources, and IE settings.
ILT Setting #5
File Match – Like the Registry Match, nearly every installed application puts some file on your computer, so this can be leveraged.
Function – If the file you specify exists (plus there are other toggles), then the GPP setting will be applied. This does not need to be files that an application puts on, but it can be any file that exists on the computer.
Ideal GPP settings – This setting works well in conjunction with controlling the computer as a whole, such as IE, ODBC, etc. as well as configuring user profile settings such as Mapped drives, shortcuts, Registry settings, Environment, Network shares, Schedule Tasks, and IE settings.
ILT within GPP is extremely powerful! This is just a partial list to help you get started, as so many admins have not been using the ILT options. To use them to control desktops is about the most powerful and dynamic way I know. I always tell admins “to think outside the box”, so ideas will come when you least expect them. When I get questions around areas of control that GPP can manage, I always think of how to leverage ILT. ILT is powerful within GPP and many other Group Policy extension companies leverage ILT too, such as BeyondTrust, Specops, etc. It is an awesome management tool and you will love them when you get to using them!