The components include:
Domain controller: AD-DNS-01
The domain controller is a computer running Windows Server 2008 and Active Directory Domain Services (AD DS). The illustration shows a domain controller named AD-DNS-01 configured in the example.com forest and domain.
Group Policy: GPO_Membership
Group Policy is configured in AD DS on the domain controller. You create one or more GPOs that are associated with the membership group and configure the settings required by the set of computers that must receive each GPO. For example, you can create a GPO named GPO_Membership, as shown in the illustration.
WMI Filters
Windows Management Instrumentation (WMI) filters allow a GPO to query the computer for conditions that must be true for the GPO to apply. In this guide, WMI filters are used to query for the version of Windows to ensure that only a GPO designed for that version will apply.
 Note
Windows 2000 does not support WMI filters; a computer running Windows 2000 processes any GPO that is in its scope, even if the GPO has a WMI filter that explicitly excludes Windows 2000. For this reason, add computers running Windows 2000 to an exception group, as discussed in the following section.
Membership group: GRP_Membership
The membership group contains the user or computer accounts that will receive one of the GPOs associated with the group. The choice of GPO depends on the WMI filters used for checking the version of Windows and any membership in an exception group. For example, you can create a group named GRP_Membership, as shown in the illustration.
Exception group: GRP_Exception
The exception group contains the user or computer accounts that might be in the membership group, but must not be allowed to apply a particular membership GPO. Exception groups are assigned deny permissions on the membership GPOs. For example, you can create a group named GRP_Exception, as shown in the illustration.
Exception groups are used for the following reasons:
When a computer or user is in two membership groups but must apply only one of the two GPOs. You use one of the membership groups as if it were an exception group for the GPOs that pertain to the other membership group. For example, consider membership groups Group A and Group B, each with a GPO, GPO A and GPO B. Only one of the GPOs must apply to any computer. Members of Group B must receive only the GPO B, even if they are also members of Group A. To do this, treat the Group B membership group as an exception group for Group A. On GPO A, deny Apply Group Policy permissions to Group B. Because deny permissions override allow permissions, members of Group B will only be allowed to apply GPO B.
When a WMI filter cannot be used. For example, computers that are running Windows 2000 cannot process WMI filters, and apply all GPOs that are in scope, and for which they have permissions to apply. Placing a group with all computers that run Windows 2000 into the exception group for a GPO prevents them from applying the GPO.
Group Policy deployment process
The process for configuring Group Policy based on a membership group occurs in these stages:
1. Create the membership group in AD DS.
2. Create the exception group in AD DS.
3. Create the GPOs, one for each version of Windows that requires different settings to achieve the desired configuration. Remember that often you can copy a GPO for one version of Windows to serve as a starting point for another version. This can save a lot of time if your GPOs contain a large number of settings. For example, Windows Vista and Windows Server 2008 support almost the same collection of settings. You could create the GPO for Windows Vista, configure it, and then make a copy of it for Windows Server 2008. Then you only need to change the few settings that are different between Windows Vista and Windows Server 2008.
4. Create the WMI filters that allow you to distinguish between different versions of Windows. In theory, you could have five GPOs for a single membership group, one each for Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Each GPO must have a WMI filter that prevents it from being applied to any version of Windows except the one for which it is designed.
Note
In the case of Windows 2000, the WMI filter on the GPO for Windows 2000 prevents later versions of Windows from applying the GPO. To prevent a computer that runs Windows 2000 from applying the GPOs for later versions of Windows, you must create an exception group containing the Windows 2000 computers. You then deny Read and Apply Group Policy permissions to that group on all of the GPOs for later versions of Windows.
5. Grant Read and Apply Group Policy permissions on the GPOs to the membership group. Remove the default entry for Authenticated Users. Deny Apply Group Policy permissions to the exception group. Assign the corresponding WMI filter to each GPO.
 Important
If you have membership groups in which a computer might be a member of more than one membership group, and only one of the GPOs must be applied, then treat one of the membership groups as an exception group for the other.
6. Link the GPOs to the domain container to make it visible to all of the computers in the domain. The security group and WMI filters limit their application to only the specified set of computers.
7. Add a small number of test computers to the membership and exception groups. Refresh Group Policy on the test computers and make sure that each receives the correct GPO and applies the correct settings.
8. After testing is complete, add the production computers to the membership and exception groups.
Group Policy Deployment Planning
Before you deploy Group Policy, you must plan the membership and exception groups.
Planning the membership and exception groups
There is one membership group for each set of GPOs that contain configuration data for your client computers and users. Adding a user or computer account to the group enables that user or computer to read and apply all of the GPOs associated with the group.
To limit the user or computer to only one GPO of the several that might be associated with the membership group, create and assign WMI filters to each GPO. A WMI filter is evaluated to determine if a GPO should be applied to the user or computer. For example, the WMI filters described in this guide contain information about the version of the Windows operating system. For more information about creating WMI filters, see WMI Filtering Using GPMC (http://go.microsoft.com/fwlink/?linkid=93188).
If there are some computers in the membership group that should not apply the GPO, then you can create an exception group that is denied permission to apply the GPO. Because deny permissions override allow permissions, a user or computer that is a member of both groups will not apply the GPO.
For example, exception groups are used when a membership group includes computers that are running Windows 2000. That version of Windows cannot process WMI filters and applies any GPO to which it has permissions, even when the assigned WMI filter explicitly prohibits it. For this reason, you should create an exception group that contains the computer accounts of all computers running Windows 2000 and deny this group Read and Apply Group Policy permissions to the GPOs for other versions of Windows.
Planning domain access
To log on to the domain, the computer must be a domain member computer and the user account must be created in AD DS before the logon attempt.
For more information, see the "Joining Computers to the Domain and Logging On" topic in the Windows Server 2008 Foundation Network Guide in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=106051).
Group Policy Deployment
Follow these steps to create Group Policy by using a membership group.
Create the Membership Groups
Create the Exception Groups
Create the Group Policy Objects for Each Version of Windows
Create the WMI Filters
Apply Security Group Filters and WMI Filters to the GPOs
Link the GPOs to the Domain
Add Computers to the Exception Groups
Add Test Computers to the Membership Groups
Add Production Computers to the Membership Groups
Note
The procedures in this guide do not explicitly mention the display of the User Account Control dialog box. If this dialog box appears in response to your actions while you are performing the procedures in this guide, click Continue.
Create the Membership Groups
Use this procedure to create the membership group that you will later associate with the GPOs.
Membership in Domain Admins is the minimum required to complete this procedure.
 To create a membership group
-
1. Log on to your domain controller as a member of the Domain Admins group.
2. Click Start, and then click Server Manager.
The Server Manager console opens.
3. In the navigation pane, expand Roles, expand Active Directory Domain Services, expand Active Directory Users and Computers, and then expand your domain. For example, if your domain is named example.com, then expand example.com.
4. Right-click Computers, click New, and then click Group.
5. In the New Object – Group dialog box, in Group name, type a name for the group, and then click OK.
|
Create the Exception Groups
Use this procedure to create an exception group. Members of this group are prevented from applying a GPO.
Membership in Domain Admins is the minimum required to complete this procedure.
To create an exception group
-
1. Log on to your domain controller as a member of the Domain Admins group.
2. Click Start, and then click Server Manager.
The Server Manager console opens.
3. In the navigation pane, expand Roles, expand Active Directory Domain Services, expand Active Directory Users and Computers, and then expand your domain.
4. Right-click Computers, click New, and then click Group.
5. In the New Object – Group dialog box, in Group name, type a name for the group, and then click OK.
|
Create the Group Policy Objects for Each Version of Windows
Use this procedure to create the GPOs. Create one GPO for each version of Windows that requires different settings to achieve the desired configuration.
Membership in Domain Admins is the minimum required to complete this procedure.
To create the GPOs
-
1. Log on to your domain controller as a member of the Domain Admins group.
2. Click Start, and then click Server Manager.
The Server Manager console opens.
3. In the navigation pane, expand Features, expand Group Policy Management, expand Forest: your forest name, expand Domains, expand your domain, and then click Group Policy Objects.
4. Click Action, and then click New.
5. In the New GPO dialog box, in Name, type the name of the GPO. Use a name that indicates both the function and the target group (for example, GPO_FunctionA_W2K8). Click OK to save your GPO.
6. Repeat step 5 for each of the other versions of Windows supported by the membership group (GPO_FunctionA_Vista, GPO_FunctionA_W2K3, GPO_FunctionA_XP, and GPO_FunctionA_W2K).
|
Create the WMI Filters
Use this procedure to create the WMI filters that are used to restrict the application of a GPO to the computers in the membership group that are running the version of Windows for which the GPO is intended.
Membership in Domain Admins is the minimum required to complete this procedure.
To create the WMI filters
-
1. Log on to your domain controller as a member of the Domain Admins group.
2. Click Start, and then click Server Manager.
The Server Manager console opens.
3. In the navigation pane, expand Features, expand Group Policy Management, expand Forest: your forest name, expand Domains, expand your domain, and then click WMI Filters.
4. Click Action, and then click New.
5. In the New WMI Filter dialog box, in Name, type the name of the filter. Use a name that indicates the target group (for example, Windows Server 2008).
6. In Description, type the purpose of the filter.
7. Click Add.
The WMI Query dialog box appears.
8. In Query, type the WMI Query Language (WQL) string that returns TRUE when applied to the correct version of Windows. For example, for Windows Server 2008 type:
select * from Win32_OperatingSystem where Version like “6.0%” and ProductType = “3”
Both Windows Server 2008 and Windows Vista return version numbers that begin with 6.0. To differentiate between the client and server versions, include the clause to check the ProductType field. This value returns 1 for client versions of Windows such as Windows Vista, 2 for server versions of Windows operating as domain controllers, and 3 for server versions of Windows that are not operating as domain controllers.
9. Repeat step 8 for each of the other versions of Windows. The following table shows sample query statements for each version.
-
WMI Filter Name
|
WQL Query Statement
|
Windows Vista
|
select * from Win32_OperatingSystem where Version like “6.0%” and ProductType = “1”
|
Windows Server 2003
|
select * from Win32_OperatingSystem where Version like “5.2%” and ProductType = “3”
|
Windows XP
|
select * from Win32_OperatingSystem where (Version like “5.1%” or Version like “5.2%”) and ProductType = “1”
|
Windows 2000
|
select * from Win32_OperatingSystem where Version like “5.0%”
|
Note
The filter for Windows 2000 is used to prevent computers that are running later versions of Windows from applying the GPO. You cannot use a WMI filter to apply a GPO to computers that are running Windows 2000 because that version of the operating system does not support WMI filters.
You can also create combination filters when required by your design. The following table shows query statements for common operating system combinations.
-
WMI Filter Name
|
WQL Query Statement
|
Windows Vista and Windows Server 2008
|
select * from Win32_OperatingSystem where Version like “6.0%” and ProductType<>“2”
|
Windows Server 2003 and Windows Server 2008
|
select * from Win32_OperatingSystem where (Version like “5.2%” or Version like “6.0%”) and ProductType=“3”
|
Windows 2000, XP and 2003
|
select * from Win32_OperatingSystem where Version like “5.%” and ProductType<>“2”
|
|
Apply Security Group Filters and WMI Filters to the GPOs
Use this procedure to assign the WMI and security group filters that you created earlier to restrict each GPO to the computers in the membership group that are running the version of Windows for which the GPO is intended.
Membership in Domain Admins is the minimum required to complete this procedure.
To assign the security group and WMI filters to your GPOs
-
1. Log on to your domain controller as a member of the Domain Admins group.
2. Click Start, and then click Server Manager.
The Server Manager console opens.
3. In the navigation pane, expand Features, expand Group Policy Management, expand Forest: your forest name, expand Domains, and then expand your domain.
4. For each of the GPOs that contains settings for a different zone and version of Windows, perform the following steps:
a. Remove the default security group filter that allows any computer to apply the GPO. In Security Filtering, click Authenticated Users, and then click Remove.
b. Add a security group filter that permits only accounts in the membership group to apply the GPO. In Security Filtering, click Add, enter the membership group account name that you created for the zone, and then click OK.
c. Add a security group filter that prevents members of an exception group from applying the GPO. Click the Delegation tab, click Advanced, click Add, enter the exception group account name, and then click OK. In the Group or user names list, select the group you just added, in the Permissions for Exception Group Name list, clear all of the Allow check boxes, select the Deny check boxes for Read and Apply Group Policy, and then click OK.
d. Assign the WMI filter that limits the GPO to only computers running the specified versions of Windows. Click the Scope tab, and then in the WMI Filtering list, select the WMI filter you created earlier. In the confirmation dialog box, click Yes.
|
Link the GPOs to the Domain
Use this procedure to link the GPOs that you created earlier to the domain container in the Active Directory hierarchy. Because the assignment of the GPOs is controlled by the combination of the security group and WMI filters, you do not have to assign the GPOs to OU containers.
Important
Linking GPOs to the domain container is appropriate for GPOs that must be used by computers throughout the Active Directory hierarchy. Link GPOs that apply only to a subset of the computers in the network to the OU container that is lowest in the hierarchy but still includes all of the targeted computers in the containers below it.
Membership in Domain Admins is the minimum required to complete this procedure.
To link the GPOs to the domain container
-
1. Log on to your domain controller as a member of the Domain Admins group.
2. Click Start, and then click Server Manager.
The Server Manager console opens.
3. In the navigation pane, expand Features, expand Group Policy Management, expand Forest: your forest name, expand Domains, expand your domain, and then expand Group Policy Objects.
4. Drag each GPO in the Group Policy Objects node to the node for your domain container. In the confirmation dialog box, click OK.
|
Add Computers to the Exception Groups
Before you add any computers to the membership groups, use this procedure to add computers to the appropriate exception groups. For example, add any computers running Windows 2000 to that exception group. This will prevent the computer accounts in the exception group from applying GPOs that are not intended for them.
To add computers to the exception groups
-
1. Log on to your domain controller as a member of the Domain Admins group.
2. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
3. In the navigation pane, expand Active Directory Users and Computers, expand your domain, and then select Computers. (If you created the exception groups somewhere other than in the Computers container, select the appropriate container.)
4. In the details pane, double-click the exception group to which you want to add computers.
5. Select the Members tab, and then click Add.
6. Type the name of the computer in the text box, and then click OK.
7. Repeat steps 5 and 6 for each additional computer account or group that you want to add.
8. Click OK to close the group properties dialog box.
9. Restart the computer. Changes in group membership do not take effect until after the computer is restarted.
|
Add Test Computers to the Membership Groups
Use this procedure to add test computers to membership groups, force GPO updates, and confirm the results. Be sure to add computers that represent the overall composition of your network, at least one for every GPO that you deploy.
Membership in Domain Admins is the minimum required to complete this procedure.
To add the test computers to the membership groups
-
1. Log on to your domain controller as a member of the Domain Admins group.
2. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
3. In the navigation pane, expand Active Directory Users and Computers, expand your domain, and then select Computers. (If you created the GPO membership groups somewhere other than in the Computers container, then select the appropriate container.)
4. In the details pane, double-click the GPO membership group to which you want to add computers.
5. Select the Members tab, and then click Add.
6. Type the name of the computer in the text box, and then click OK.
7. Repeat steps 5 and 6 for each additional computer account or group that you want to add.
8. Click OK to close the group properties dialog box.
9. Restart the computer. Changes in group membership do not take effect until after the computer is restarted.
|
To force a GPO update on the test computers
-
1. For a computer that is running Windows Vista or Windows Server 2008, open an elevated command prompt, and then type the following command:
gpupdate /target:computer /force
2. For a computer that is running Windows XP or Windows Server 2003, open a command prompt, and then type the following command:
gpupdate /target:computer /force
3. For a computer that is running Windows 2000, open a command prompt, and then type the following command:
secedit /refreshpolicy machine_policy
|
To verify the GPO application on the test computers
-
1. For a computer that is running Windows Vista or Windows Server 2008, open an elevated command prompt, and then type the following command:
gpresult /r /scope:computer
2. For a computer that is running Windows XP or Windows Server 2003, open a command prompt, and then type the following command:
gpresult /scope:computer
3. For a computer that is running Windows 2000, open a command prompt, and then type the following command:
gpresult /c
|
Add Production Computers to the Membership Groups
After you have thoroughly tested your GPO deployment, use this procedure to add the production computers to the membership groups.
To add production computers to the membership groups
-
1. Log on to your domain controller as a member of the Domain Admins group.
2. Click Start, click Administrative Tools, and then click Active Directory Users and Computers.
3. In the navigation pane, expand Active Directory Users and Computers, expand example.com, and then select Computers. (If you created the GPO membership groups somewhere other than in the Computers container, then select the appropriate container.)
4. In the details pane, double-click the GPO membership group to which you want to add computers.
 Caution
If you choose to add a large group like Domain Computers to the membership group, make sure that your exception groups are fully populated and tested before adding the large group.
5. Select the Members tab, and then click Add.
6. Type the name of the computer in the text box, and then click OK.
7. Repeat steps 5 and 6 for each additional computer account or group that you want to add.
8. Click OK to close the group properties dialog box.
9. Restart the computer. Changes in group membership do not take effect until after the computer is restarted.
|
Additional Resources
For more information about the technologies that are discussed in this guide, see the following resources:
Active Directory Domain Services in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=110928)
Group Policy in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=110930)
Windows Server 2008 Foundation Network Guide, which is available at the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=105231) and in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=106252)
"Configuring All Servers" topic in the Windows Server 2008 Foundation Network Guide in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=106050)
"Joining Computers to the Domain and Logging On" topic in the Windows Server 2008 Foundation Network Guide in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=106051)
|
