Group Policy Preferences: Understanding and Implementing Item – Level Targeting

Introduction

First off, if you have not taken the plunge into the implementation of Group Policy Preferences, it is about time that you do! This new and free technology provided by Microsoft is a powerful solution that gives administrators near ultimate control over desktops and servers. To see how to install Group Policy Preferences on your environment, kindly refer to my previous article on WindowsNetworking.com. Once you have that part down, you will want to take your configuration to the next level, and the next level is Item-Level Targeting. With Item-Level Targeting you have over 25 different methods and options to control your Group Policy Preference applications. If that is not enough, Item-Level Targeting is dynamic, determining whether or not the current computer configuration matches the Item-Level Targeting regulations, if not, the policy setting will disappear!

Where Do I Find Item-Level Targeting?

Item-Level Targeting is only available for Group Policy Preferences. That is far from ideal, but with over 3000 Group Policy Preferences settings, it is not that much of a limiting factor. Since Item-Level Targeting is a feature of Group Policy Preferences, you will find Item-Level Targeting under the Group Policy Preferences settings within the Group Policy Management Editor. All of the Group Policy Preferences settings have Item-Level Targeting, so once you find it for one Group Policy Preference setting, you can find it for any of them.

To get to the Item-Level Targeting, first open up the Group Policy Management Console on a Windows Server 2008 or Windows Vista SP1 computer. Then, create and edit a GPO. You will see a top level node system that consists of Computer Configuration and User Configuration. Under each of these nodes you will see Policies and Preferences. The Preferences nodes contain all of the Group Policy Preferences settings that you can configure. Next, expand the Preferences\Windows Settings node under the User Configuration node. Here you will see a laundry list of setting categories. I will show you the Item-Level Targeting under the Shortcuts node, so right-click on the Shortcuts node and select New\Shortcut.

This should open up the Shortcut Property sheet. You will need to fill out the information on this front tab to get to the Item-Level Targeting, so go ahead and fill out the Shortcut Property page to look like Figure 1.


Figure 1: Shortcut Group Policy Preferences allows you to create shortcuts for target users or computers

Now that the initial tab is completed, you can select the Common tab. Under the Common Tab you will see the check box for Item-Level Targeting. If you click on the check box and then click the Targeting button, the Targeting Editor opens (Figure 2).


Figure 2: Each Group Policy Preferences can include Item-Level Targeting

What Can Item-Level Targeting Really Do?

The true power of Item-Level Targeting is hidden in the specific targets which are possible. I always ask my classes and attendees; “How do YOU want to control desktops and servers”. Item-Level Targeting can handle the control of desktops very efficiently. So, what exactly can Item-Level Targeting do when it comes to controlling desktops and servers, considering the Group Policy Preferences that are configuring them?

Consider these scenarios:

  • Printers are configured for laptop users based on the branch office (IP address range or AD site) that they boot up into. When the laptop leaves the branch office, the printers are removed and new ones are created at the next location they boot up into.
  • Drive mappings are dynamically configured based on the current desktop state. This could be an application (EXE being installed), a Registry value being configured (maybe even a Hotfix installed), or a specific user having membership in a specific group (Joe from HR is logged in so he should get the H: drive mapped to the Benefits data on Server4).
  • Power consumption will be tailored to reflect usability. Settings could be applied so that a computer never goes into power save mode during working hours, but would do so immediately after. This way, the computer will be configured to save about $50 per PC/per year.
  • You can now “flag” laptops as being laptops and “desktops” as being desktops using variables. Then, you can use these variables to set other security, configuration, and system settings.



All of these are accomplished by the set of targeting options that are available in the Targeting Editor, which can be seen in Figure 3.


Figure 3: The Targeting Editor allows you to pick from one of the 25+ targets to control whether the Group Policy Preferences setting applies or not

Every How Often Does Item-Level Targeting Evaluate?

As we all know, Group Policy has a background refresh that occurs every 90 minutes, plus or minus 30 minutes. So, in essence, Group Policy is constantly evaluating, since there are new Group Policy settings applied every hour and a half. With normal Group Policy settings, if there are no new settings, then no policy will apply.

Item-Level Targeting is not at all like this! Instead, at each background refresh Item-Level Targeting is evaluating whether or not the current state of the computer should apply or remove settings that are associated with the Item-Level Targeting. This creates a very dynamic and controlled environment.

Note:
In order for Group Policy Preferences settings to be removed when the target computer no longer meets the targeting criteria, you will need to enable the “Remove this item when it is no longer applied” check box on the Common tab for the Group Policy Preferences setting. If this check box is not enabled, then the Group Policy Preferences setting will continue to apply to the computer, just like the old “tattooing settings” used to, and still do.

Summary

Item-Level Targeting is free, available, proven, and ready to use today in your environment. I know that I may sounding like a broken record or a cheesy sales person, but it is all true. Group Policy Preferences and Item-Level Targeting have been around for a long time and now that you can get Group Policy Preferences for free (and have it supported in Windows XP SP2 and Windows Server 2003 SP1) you can take full advantage of the control that you get with Item-Level Targeting. Remember that every Group Policy Preferences setting has Item-Level Targeting associated with it. This means that you can control every Group Policy Preferences setting with a finite targeting system, which can apply or remove the setting every 90 minutes. The options and scenarios are stunning, as I am sure you will be able to come up with some scenarios that meet your environment needs. If you want more ideas on how to deploy and implement Group Policy Preferences and Item-Level Targeting, please see the chapter in my book, “The Group Policy Resource Kit”, titled; Group Policy Preferences.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top