Group policies can only be linked to domains, sites, and OU’s. A single group policy may be linked multiple times, whether that is to hundreds of locations or none at all. The location in which a group policy object (or GPO) is linked determines the portion of the domain hierarchy where it has the possibility of being applied. After a GPO is linked in, it is filtered. A GPO is first filtered via security permissions, and then via WMI filters. Filtering via security permissions allows a more granular level of control. When a Group Policy Object is created, its default filtering is based off of the “Authenticated Users” group, which includes all users and computer accounts in the domain.
Example: A Group Policy object that is used for distributing an application (i.e. Remedy) may need to be linked high in the OU hierarchy so that it has the possibility of applying to users and groups throughout the University. However, since it is an application that is only used by support staff, you would not want the application to be available to everyone. So you would then use security filtering to filter on groups containing support staff or support machines.
Let’s assume that you have a couple servers in your organization that are extreeeeemely important. You don’t want anyone else’s changes effecting them. Active Directory has the ability to block group policy inheritance just for this reason. You can block inheritance by using the Group Policy Management Console, navigating to the Organizational Unit (OU) that you want blocked, right click on the OU, and select “Block Inheritance” from the context menu.
Be sure you understand the consequences of this before blocking group policy inheritance. Blocking inheritance stops ALL GPO’s from higher up in the OU hierarchy from applying to the users, computers and groups located within the blocked OU. Often it is the case that people end up not being able to login, or machines go off the network. That is why it is best practice to assign any new GPO’s before blocking inheritance.
Enforced (No override)
Well, lets assume you are the enterprise administrator of a domain, and one of the OU admins has blocked inheritance of some settings that you think are critical to be on all machines in the domain, no matter what. Well, a group policy can be set to “Enforced” (No Override in Windows 2000) to set it as un-blockable. You can set a GPO to be “Enforced” by using the Group Policy Management Console, navigating to the Group Policy Object (GPO) that you want enforced, right click on the GPO, and select “Enforced” from the context menu.
When determining which policies should be enforced, it is good to err on the side of allowing the most flexibility. Generally the only policies that are enforced are those that deal with Security. Enforcing too many Group Policies can limit the flexibility of Active Directory, and make it more difficult to delegate management.
Group Policy Objects may be applied to domains, sites, or organizational units, and are filtered primarily based off of group membership. You can also filter GPO application based off of information gathered via the Windows Management Interface (WMI). For example, you can create a WMI filter that runs only if the computer is an IBM or Dell, or if it has a given service pack installed, or even if a certain service is running.
Syntax: Select * FROM <WMI_CLASS> WHERE <WMI Property>=<value>
‘Applies if Windows Server 2003 Enterprise is the operating system.
Root\cimv2; SELECT * FROM Win32_OperatingSystem WHERE Caption = “Microsoft(R) Windows(R) Server 2003, Enterprise Edition”
‘Applies if the system is a Dell
Root\cimv2; SELECT * FROM Win32_ComputerSystem WHERE Manufacturer = “Dell Computer Corporation”
‘Applies if ADMINPAK.MSI has been installed.
Root\cimv2; SELECT * FROM Win32_Product WHERE name = “ADMINPAK”
‘Applies if there is 500MB+ (524,288,000 bytes) available on any drive.
Root\cimv2; SELECT * FROM Win32_LogicalDisk WHERE FreeSpace > 524288000 AND Description = “Local Fixed Disk”
‘Applies if eastern time zone, i.e., five hours behind UTC “Zulu” time.
Root\cimv2; SELECT * FROM win32_timezone WHERE bias =-300
‘Applies if Microsoft Office (any version) has been installed.
Root\cimv2; SELECT * FROM Win32_Product WHERE Caption LIKE “%Microsoft Office%”
‘Applies if patch KB819696 or KB828026 has been applied.
Root\cimv2; SELECT * FROM Win32_QuickFixEngineering WHERE HotFixID = “KB819696” OR HotFixID = “KB828026”