During the development work we’ve been doing with Windows 7, one of the items we’ve been looking at is how we can filter the group policy applied to User Accounts by the operating system they are using.
The reason for this is that for a phased migration to Windows 7, you will probably need to account for people roaming between different computers – which may or may not have been migrated. As the configuration applied to Windows 7 may be very different to that applied to older Windows XP computers we need a way of linking both sets of policy to the user accounts, but only applying the right one for the current OS.
If you have all of your user accounts in a single OU (or OU hierarchy) this is relatively straight forward. The simple answer is to use Group Policy WMI filters. These allow you to filter the application of Group Policy based on the results of WMI queries you make of the computer. For example another good use of these is to detect whether a computer is a laptop or desktop, by querying the battery status you can easily set different configurations for things like Offline Folders on laptops.
After a bit of testing I found the following queries work for filtering policy to different OS levels, and computer roles:
Select * from Win32_OperatingSystem Where Version like “6.1%” and ProductType = “1”
To further filter policies based on versions and roles the following properties can be used:
Version
To filter the by OS version, change the Version property to:
Windows 7 or Server 2008 R2 = “6.1%”
Windows Vista or Server 2008 = “6.0%”
Windows XP = “5.2%”
Windows 2000 = “5.0%”
Product Type
To filter by the different roles the computer might have, change the ProductType property to:
Client = “1”
Server running a Domain Controller role = “2”
Member server (server that’s not a DC) = “3”
The % character in the above queries is a wildcard for any characters that follow, so you could therefore use Version Like "6%"to filter for OS's which are Vista and later.
To apply the filters, you use the Group Policy Management Console (GPMC). In the WMI Filters section in the right hand pane, click right-click and select New. Then give a name and description, click Add then enter the filter into the Query box. Then click Ok and Save.
To apply the filter to a policy, select the policy in the right hand pane, then on the Scope tab under WMI Filtering select your filter.
There are a few limitations, like you can only apply one filter per Policy (but you can have more than one query per filter) and the Queries are a property of the policy not the link, but overall they’re a very powerful tool.
Related posts:
7 Comments
1 Ben
Posted Oct 30, 2009 at 8:50 amPermalink
Just wanted to let you know I read your post and that I appreciate the time you took to write it up. An idea I was thinking about to accomplish the same thing was using loopback policy processing and linking the user policies to an OU I've got setup for my Win7 machines. Just wondering what you thought and if you'd already tried this in your travels?
2 Tom Basham
Posted Nov 2, 2009 at 11:31 amPermalink
Hi Ben,
That would certainly work, though all your user configuration would then be applied via the computer objects, to some extent you'd lose the benefits of being able to use and filter user based policy. Using the WMI filters you can still have different XP and 7 policies but have the user accounts in the same OU.
T
3 Chaoren
Posted Jan 6, 2010 at 5:50 pmPermalink
Hi excellent post there. keep it up.I frankly like to read your blog.Last of all have good day
4 Aakash Shah
Posted Feb 17, 2010 at 7:04 pmPermalink
I'm curious, is it more efficient to say:
SELECT Version, ProductType from Win32_OperatingSystem Where Version like “6.1%” and ProductType = “1”
instead of
SELECT * from Win32_OperatingSystem Where Version like “6.1%” and ProductType = “1”
Or, are they both pretty much the same in terms of delay?
Thanks.
5 Moo-Crumpus
Posted Apr 22, 2010 at 1:56 pmPermalink
select * is much more 'expensive' then select version, producttype. you should prefer
SELECT Version, ProductType.
6 an3k
Posted Jun 17, 2010 at 9:54 amPermalink
Windows XP is "5.1%", Windows Server 2003 is "5.2%" !
see http://technet.microsoft.com/en-us/library/cc754488(WS.10).aspx
7 Cjwdev
Posted Jan 13, 2011 at 1:18 pmPermalink
Thanks for posting this, we are just starting to roll out Windows 7 and it was a pain adding each Windows 7 user to an AD group just so that the Windows 7 GPOs would only apply to them.