During the development work we’ve been doing with Windows 7, one of the items we’ve been looking at is how we can filter the group policy applied to User Accounts by the operating system they are using.
The reason for this is that for a phased migration to Windows 7, you will probably need to account for people roaming between different computers – which may or may not have been migrated. As the configuration applied to Windows 7 may be very different to that applied to older Windows XP computers we need a way of linking both sets of policy to the user accounts, but only applying the right one for the current OS.
If you have all of your user accounts in a single OU (or OU hierarchy) this is relatively straight forward. The simple answer is to use Group Policy WMI filters. These allow you to filter the application of Group Policy based on the results of WMI queries you make of the computer. For example another good use of these is to detect whether a computer is a laptop or desktop, by querying the battery status you can easily set different configurations for things like Offline Folders on laptops.
After a bit of testing I found the following queries work for filtering policy to different OS levels, and computer roles:
Select * from Win32_OperatingSystem Where Version like “6.1%” and ProductType = “1”
To further filter policies based on versions and roles the following properties can be used:
To filter the by OS version, change the Version property to:
Windows 7 or Server 2008 R2 = “6.1%”
Windows Vista or Server 2008 = “6.0%”
Windows XP = “5.2%”
Windows 2000 = “5.0%”
To filter by the different roles the computer might have, change the ProductType property to:
Client = “1”
Server running a Domain Controller role = “2”
Member server (server that’s not a DC) = “3”
The % character in the above queries is a wildcard for any characters that follow, so you could therefore use Version Like “6%”to filter for OS’s which are Vista and later.
To apply the filters, you use the Group Policy Management Console (GPMC). In the WMI Filters section in the right hand pane, click right-click and select New. Then give a name and description, click Add then enter the filter into the Query box. Then click Ok and Save.
To apply the filter to a policy, select the policy in the right hand pane, then on the Scope tab under WMI Filtering select your filter.
There are a few limitations, like you can only apply one filter per Policy (but you can have more than one query per filter) and the Queries are a property of the policy not the link, but overall they’re a very powerful tool.