Information Technology Reference
In-Depth Information
Remember that computer accounts are also affected by GPOs. So if the GPO you're filter-
ing contains computer settings, you must add a group containing the computer accounts that
should be subject to the GPO's policies.
Another way to use security filtering is to edit the GPO's DACL directly. This method is
often easier when the GPO must be applied to many users and/or computers with just a few
exceptions. In GPMC, click the GPO in the Group Policy Objects folder, and click the Delegation
tab in the right pane to see the complete list of ACEs for the GPO, as in Figure 7-14. You can
add security principals to the DACL or click the Advanced button to open the Advanced Security
Settings dialog box you have used with other Active Directory objects.
Figure 7-14
The Delegation tab for a GPO
By using the Advanced Security Settings dialog box, you can assign Deny permissions as well
as Allow permissions. Assigning the Deny Read permission, for example, enables you to create
exceptions to normal GPO processing. You can add a single user or computer account or a group
to the DACL and prevent these security principals from being affected by the GPO.
For example, you have a GPO configuring some Internet Explorer settings in the Computer
Configuration node that restricts access to advanced features. You have more than 500 computer
accounts in different OUs, so you want to link the GPO to the domain so that it affects all com-
puters in the domain. However, you have a dozen or so power users whose computers you want
to exempt from these policies. You can create a group, add the power users' computers as mem-
bers, add the group to the GPO's DACL, and then configure Deny Read permission.
The second type of filtering is WMI filtering. Windows Management Instrumentation
(WMI) is a Windows technology for gathering management information about computers, such
as the hardware platform, the OS version, available disk space, and so on. WMI filtering uses
queries to select a group of computers based on certain attributes, and then applies or doesn't
apply policies based on the query's results. You need to have a solid understanding of the com-
plex WMI query language before you can create WMI filters. Here's an example of using one to
select only computers running Windows XP Professional:
Root\CimV2; Select * from Win32_OperatingSystem where Caption =
"Microsoft Windows XP Professional"
Search WWH ::
Custom Search