Windows Server 2008 Directory Services, Group Policy Preferences -- Common Options Page 2
Item-level targeting provides significantly enhanced granularity in defining criteria that must be satisfied for a preference item to take effect. Such criteria are evaluated on per-item level, rather a per-GPO basis, as is the case with traditional filtering mechanisms that take into account such factors as a security group membership or an outcome of a WMI-based query. Conditions considered when performing these evaluations include the following. With a few exceptions that we will point out, they are applicable to both computer and user-based preferences:
Battery Present- checks for the presence of a battery on a target computer, facilitating deployment of distinct preferences to laptops, if different from those applied to desktops and servers.
Computer Name- makes application of a group policy preference item dependent on the NetBIOS (as determined by the value of
COMPUTERNAMEenvironment variable) or DNS name (which involves translating it into a corresponding IP address and comparing its value to addresses assigned to local network adapters) of the target computer. It is possible to use wildcards, with
*designating, respectively, any single and multiple characters.
CPU Speed- restricts the scope of the corresponding preference setting to computers with a processor faster than the value defined here. This can be assigned either directly (by providing a number representing clock speed in MHz) or by leveraging one of
System Defined Variables, selected from the list displayed by pressing
F3while the cursor is present in the
greater than or equal tolistbox.
Date Match- assigns a schedule, including frequency (
On date) of deploying the preference setting to a target computer.
Dial-Up Connection- makes deployment contingent on the
connectedstatus of a specific dial-up connection. The list of available connection types is fairly long and includes
Telephone modem accessed through a COM port,
Virtual Private Network (VPN),
PPP over Ethernet (PPoE)and
Any. This option is applicable only to
Disk Space- accommodates scenarios where a preference item has a disk space dependency, allowing you to specify the minimum amount of free space (in GB) on an arbitrarily selected drive, identified either as
System(which is determined by checking the value of
SYSTEMDRIVEenvironment variable) -- if applicable -- or by the drive letter. The latter includes mapped network drives.
Domain- uses the NetBIOS domain name (which can be specified explicitly or assigned via
System Defined Variables) to restrict the application of the corresponding preference item depending on whether the target computer or user are its members. This is determined by comparing the value you provide against the
Environment Variable- targets users or computers based on values of either the user or system environment variables. Here as well you can specify them directly or leverage
System Defined Variables. Note that this particular item presents interesting opportunities in regard to customizing the scope of GPP deployment, which involves defining environment variables that uniquely identify intended recipients.
File Match- takes into consideration either the existence of a file/folder (based on the
Pathtextbox entry) or checks whether that file's version is within specified range, which accommodates values between
IP Address Range- allows you to set starting and ending boundaries of the IP address range that is compared against the IP address of a target computer. This gives you a considerably more flexible alternative to Active Directory Site-linked GPO deployments.
Language- determines whether a preference item is applicable depending on the user's or computer's locale, which combines a language and a corresponding geographic area where that language is spoken. Since this can be either a user or a computer characteristic, you have an option to designate an appropriate one by selecting the
Usercheckbox. The latter is not available when using
Computer Configuration. Alternatively, it is also possible to use a
Nativeoption, which relies on the version stamping resource of
LDAP Query- runs a subtree, no chase-referrals search for user or computer objects in Active Directory based on an arbitrary LDAP filter. Its configuration involves specifying that filter, a
GC:protocol and a container where the search will be conducted), as well as an
Attributeto be returned from the query. You also have an option to assign the value of returned attribute to an
Environment variable. This, however, is limited strictly to
MAC Address Range - allows you to designate a target computer by defining a range of MAC addresses that include those assigned to its network adapters.
MSI Query- defines targeting criteria that take into consideration properties of Windows Installer packages present on the target computer. These definitions combine
Query type(such as
Match information) with
Target type(such as
Component). Assigning appropriate values to each is simplified by a
Select a Productdialog box (invoked via the
Browse ...command button), which allows you to select among products, patches and components installed on the local computer on that the Group Policy Management Editor is running.
Operating System- identifies target computer based on
Windows Server 2003,
Windows Server 2003 R2,
Windows Vista, or
Windows Server 2008),
Edition(this varies with the OS version, but may include,
64-bit Enterprise, or
Release(Service Pack level), and
Computer Role(such as
Member Server, or
Organizational Unit- checks direct or indirect membership of a computer or user object in a designated Organizational Unit.
PMCIA Present- identifies a target computer based on the existence of at least one PCMCIA slot (which, in addition to
Portable Computeroptions, might be helpful when targeting laptop computers). The identification is determined based on the presence of relevant drivers and the status of the corresponding hardware components.
Portable Computer- an option intended specifically for laptops that serves as an alternative to
PMCIA Present, which also allows you to identify whether the target computers is in docked or undocked state.
Processing Mode- makes application of preference item dependent on the Group Policy processing mode. This mode can take the value of
Synchronous(which means that computer or user Group Policy processing must be completed before subsequent actions, such as user logon or user desktop display are allowed),
Asynchronous(permitting such actions while Group Policy processing is still in effect), or
Background(taking place after initial computer startup or user logon in 90 to 120 minutes intervals). For each of them, you can also further narrow down the scope based on
Processing conditions, which include
Forced refresh(typically accomplished by invoking
Link transition(a change in link speed),
No changes(unchanged version number of Group Policy Object),
RSoP transition(a change in RSoP logging),
Slow link(presence of slow network connection),
Safe boot(operating in safe mode), or
Verbose logging(highest level of logging enabled).
RAM- determines the scope by comparing amount of physical memory against an arbitrary threshold (in MB).
Registry Match- applies a
Match value data, and
Get value data) against a specified registry location (key or value) to determine whether preference item should be applied. The last of these options also provides the ability to store the matching value in an environment variable.
Security Group- checks membership of a target user or computer in a designated domain-based, local or well-known group. It is also possible to make the processing contingent on that group being designated as the primary.
Site- evaluates the Active Directory Site membership of a target computer account.
Terminal Session- facilitates scenarios where group policy processing should be dependent on whether a user is logged on via a Terminal Services session (rather than interactively to the console). You can further narrow down the scope by specifying
Type of protocol(which, by default, includes only
Terminal Servicesoption), and a session
Parameter, such as
Client TCP/IP address.
Time Range- matches local time on a target computer against an arbitrarily defined interval, allowing you to apply a preference item only during specific times.
User- available only for
User Configurationitems, identifies target users by their names (wildcards are allowed) or SIDs (in which case wildcards are not permitted).
WMI Query- uses WQL (WMI Query Language) to evaluate scope of the preference item processing. You must specify the actual
Query, which takes the form of a
SELECTstatement) and WMI
Namespace(set by default to
Rootcimv2). In addition, you have an option to designate a WMI
Propertyreturned by the query, which will be assigned to an arbitrary environment variable (identified by
Note that each of these targeting items can be grouped into collections (via
Add Collection toolbar button), combined with others using Boolean operators (
Is Not), and labeled (for documentation and search purposes). Effectively, this gives you ability to construct elaborate sets of criteria that result in wide range of processing conditions.
Hopefully this overview provides a better understanding of configuration options that govern behavior of Group Policy Preferences.