Windows Server 2008 Directory Services, Group Policy Preferences -- Common Options Page 2

Item-level targeting

Item-level targeting provides significantly enhanced granularity in defining criteria that must be satisfied for a preference item to take effect. Such criteria are evaluated on per-item level, rather a per-GPO basis, as is the case with traditional filtering mechanisms that take into account such factors as a security group membership or an outcome of a WMI-based query. Conditions considered when performing these evaluations include the following. With a few exceptions that we will point out, they are applicable to both computer and user-based preferences:

• Battery Present - checks for the presence of a battery on a target computer, facilitating deployment of distinct preferences to laptops, if different from those applied to desktops and servers.
• Computer Name - makes application of a group policy preference item dependent on the NetBIOS (as determined by the value of COMPUTERNAME environment variable) or DNS name (which involves translating it into a corresponding IP address and comparing its value to addresses assigned to local network adapters) of the target computer. It is possible to use wildcards, with ? and * designating, respectively, any single and multiple characters.
• CPU Speed - restricts the scope of the corresponding preference setting to computers with a processor faster than the value defined here. This can be assigned either directly (by providing a number representing clock speed in MHz) or by leveraging one of System Defined Variables, selected from the list displayed by pressing F3 while the cursor is present in the greater than or equal to listbox.
• Date Match - assigns a schedule, including frequency (Weekly, Monthly or On date) of deploying the preference setting to a target computer.
• Dial-Up Connection - makes deployment contingent on the connected status of a specific dial-up connection. The list of available connection types is fairly long and includes Telephone modem accessed through a COM port, Virtual Private Network (VPN), Frame Relay, PPP over Ethernet (PPoE) and Any. This option is applicable only to User Configuration preferences.
• Disk Space - accommodates scenarios where a preference item has a disk space dependency, allowing you to specify the minimum amount of free space (in GB) on an arbitrarily selected drive, identified either as System (which is determined by checking the value of SYSTEMDRIVE environment variable) -- if applicable -- or by the drive letter. The latter includes mapped network drives.
• Domain - uses the NetBIOS domain name (which can be specified explicitly or assigned via System Defined Variables) to restrict the application of the corresponding preference item depending on whether the target computer or user are its members. This is determined by comparing the value you provide against the DOMAINNAME environment variable.
• Environment Variable - targets users or computers based on values of either the user or system environment variables. Here as well you can specify them directly or leverage System Defined Variables. Note that this particular item presents interesting opportunities in regard to customizing the scope of GPP deployment, which involves defining environment variables that uniquely identify intended recipients.
• File Match - takes into consideration either the existence of a file/folder (based on the Path textbox entry) or checks whether that file's version is within specified range, which accommodates values between 0 and 65535.
• IP Address Range - allows you to set starting and ending boundaries of the IP address range that is compared against the IP address of a target computer. This gives you a considerably more flexible alternative to Active Directory Site-linked GPO deployments.
• Language - determines whether a preference item is applicable depending on the user's or computer's locale, which combines a language and a corresponding geographic area where that language is spoken. Since this can be either a user or a computer characteristic, you have an option to designate an appropriate one by selecting the System or User checkbox. The latter is not available when using Computer Configuration. Alternatively, it is also possible to use a Native option, which relies on the version stamping resource of NTDLL.DLL file.
• LDAP Query - runs a subtree, no chase-referrals search for user or computer objects in Active Directory based on an arbitrary LDAP filter. Its configuration involves specifying that filter, a Binding (designating the LDAP: or GC: protocol and a container where the search will be conducted), as well as an Attribute to be returned from the query. You also have an option to assign the value of returned attribute to an Environment variable. This, however, is limited strictly to ADSTYPE_DN_STRING, ADSTYPE_CASE_EXACT_STRING, ADSTYPE_CASE_IGNORE_STRING, ADSTYPE_PRINTABLE_STRING, ADSTYPE_NUMERIC_STRING, ADSTYPE_OBJECT_CLASS, or ADSTYPE_BOOLEAN data types.

• MAC Address Range - allows you to designate a target computer by defining a range of MAC addresses that include those assigned to its network adapters.
• MSI Query - defines targeting criteria that take into consideration properties of Windows Installer packages present on the target computer. These definitions combine Query type (such as Target exist, Version match, Get property, Match property, Get information or Match information) with Target type (such as Product, Patch or Component). Assigning appropriate values to each is simplified by a Select a Product dialog box (invoked via the Browse ... command button), which allows you to select among products, patches and components installed on the local computer on that the Group Policy Management Editor is running.
• Operating System - identifies target computer based on Product (Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, or Windows Server 2008), Edition (this varies with the OS version, but may include, Standard, Enterprise, Web, 64-bit Enterprise, or 64-bit Datacenter), Release (Service Pack level), and Computer Role (such as Workstation, Member Server, or Domain Controller).
• Organizational Unit - checks direct or indirect membership of a computer or user object in a designated Organizational Unit.
• PMCIA Present - identifies a target computer based on the existence of at least one PCMCIA slot (which, in addition to Battery Present and Portable Computer options, might be helpful when targeting laptop computers). The identification is determined based on the presence of relevant drivers and the status of the corresponding hardware components.
• Portable Computer - an option intended specifically for laptops that serves as an alternative to Battery Present and PMCIA Present, which also allows you to identify whether the target computers is in docked or undocked state.
• Processing Mode - makes application of preference item dependent on the Group Policy processing mode. This mode can take the value of Synchronous (which means that computer or user Group Policy processing must be completed before subsequent actions, such as user logon or user desktop display are allowed), Asynchronous (permitting such actions while Group Policy processing is still in effect), or Background (taking place after initial computer startup or user logon in 90 to 120 minutes intervals). For each of them, you can also further narrow down the scope based on Processing conditions, which include Forced refresh (typically accomplished by invoking gpupdate with /force switch), Link transition (a change in link speed), No changes (unchanged version number of Group Policy Object), RSoP transition (a change in RSoP logging), Slow link (presence of slow network connection), Safe boot (operating in safe mode), or Verbose logging (highest level of logging enabled).
• RAM - determines the scope by comparing amount of physical memory against an arbitrary threshold (in MB).
• Registry Match - applies a Match type (including Key exists, Value exists, Match value data, and Get value data) against a specified registry location (key or value) to determine whether preference item should be applied. The last of these options also provides the ability to store the matching value in an environment variable.
• Security Group - checks membership of a target user or computer in a designated domain-based, local or well-known group. It is also possible to make the processing contingent on that group being designated as the primary.
• Site - evaluates the Active Directory Site membership of a target computer account.
• Terminal Session - facilitates scenarios where group policy processing should be dependent on whether a user is logged on via a Terminal Services session (rather than interactively to the console). You can further narrow down the scope by specifying Type of protocol (which, by default, includes only Terminal Services option), and a session Parameter, such as Application name, Client name, Initial program, Session name, Working directory or Client TCP/IP address.
• Time Range - matches local time on a target computer against an arbitrarily defined interval, allowing you to apply a preference item only during specific times.
• User - available only for User Configuration items, identifies target users by their names (wildcards are allowed) or SIDs (in which case wildcards are not permitted).
• WMI Query - uses WQL (WMI Query Language) to evaluate scope of the preference item processing. You must specify the actual Query, which takes the form of a SELECT statement) and WMI Namespace (set by default to Rootcimv2). In addition, you have an option to designate a WMI Property returned by the query, which will be assigned to an arbitrary environment variable (identified by Variable name entry).

Note that each of these targeting items can be grouped into collections (via Add Collection toolbar button), combined with others using Boolean operators (And, Or, Is, or Is Not), and labeled (for documentation and search purposes). Effectively, this gives you ability to construct elaborate sets of criteria that result in wide range of processing conditions.

Hopefully this overview provides a better understanding of configuration options that govern behavior of Group Policy Preferences.

Follow ServerWatch on Twitter