Leveraging Group Policy Preferences Item-Level Targeting from “Downlevel” Group Policy
Recently I’ve had some conversations with folks that related to their irritation that “legacy” Group Policy settings such as Admin. Templates, Security Settings, Software Installation, etc. could not benefit from the fine-grained “Item-Level-Targeting” (ILT) feature that is available with Group Policy Preferences settings. Most of us Group Policy MVPs have had this on our wish list for a while, and, understanding GP structure and internals the way I do, I realized that this would not be an easy fix for Microsoft to undertake. However, as a thought exercise, I sat down and came up with a way to achieve this basic goal with the existing technology. It might be considered a bit of a “hack”, and does introduce a bit more complexity, but if you are really looking for this capability for a particular use case, I frankly think it’s not a bad solution! So, here’s what I did:
My test scenario was as follows. I wanted to deliver some Restricted Groups policy to a test Win7 machine. This policy would simply add the “GPO Admins” AD global group to the local “Administrators” group on my test machines. I created two GPOs for this test. The first one, called RestrictedGroups-Test, delivered the restricted groups policy. It was linked to my test OU, which contained a Win7 and XP system. It also had a WMI Filter associated with it, with the following filter query:
Select * from Win32_Environment WHERE Name=’ILT1′ AND VariableValue=’FileWin7′
This filter tested for an environment variable on the target system called ILT1 and for it to have a value of “FileWin7″
I had 2nd GPO, also linked to the same test OU. This GPO contained a single setting– a GP Preferences per-computer Environment variable setting that delivered–you guessed it–and environment variable called ILT1, if it met the ILT filter attached to that setting, which is shown below:
This ILT filter shown above is testing that the OS is Windows 7 and that there is a particular file present on that system in a particular path. But frankly, it could have been any ILT that tested for a up to 26 different criteria supported by ILT. The point is that if the system that processes this GPO meets the ILT criteria, an environment variable called “ILT1″ will be created on the system with its value set to “FileWin7″. Once this environment variable is in place, then the RestrictedGroups-Test GPO, with it’s WMI filter looking for this environment variable, will pass once it applies and deliver the restricted groups settings. And, when it gets to my XP machine, it will simply fail to find that environment variable and will not apply.
And indeed, when I tested this, it worked as expected–the Win7 machine got the restricted groups policy and the XP machine did not. In your case, you might have to wait for a 2nd Group Policy update for the restricted groups policy to apply, because the first time through, the environment variable needs to created before the restricted groups policy can apply. However, in my testing, I linked the GPO with the ILT filter higher in precedence than the restricted groups GPO on the OU and it appeared that the ILT filter and environment variable processed first and then the restricted group policy was applied within the same cycle, so that was good!
So you might be asking at this point–why go to all this trouble to get ILT for “legacy” policy? Well, there are some things that ILT supports that are difficult to impossible to do with WMI filters. What I just did in this example scenario–testing for both OS and the presence of a particular file, can be challenging in WMI and, in the case of looking for a file, downright painful.
But this approach essentially proxies the ILT testing process into the environment variable, which is something that is easy to get at with WMI filters. You could imagine creating an “ILT GPO” that contains different named sets of test criteria that you’d like to use, and delivering different environment variables for each test criteria. And then, you can use those environment variables within your legacy GPOs to indirectly take advantage of ILT filtering!
Well, that’s today’s Epiphany Hack for Group Policy!
Would love to hear about folks that use this successfully! We’ll call it “gpoguy filtering”