Group Policy Deployment Overview

Applies To: Windows Server 2008

The following illustration shows the components that are required to deploy Group Policy by using a membership group.


The components include:

The domain controller is a computer running Windows Server 2008 and Active Directory Domain Services (AD DS). The illustration shows a domain controller named AD-DNS-01 configured in the forest and domain.

Group Policy is configured in AD DS on the domain controller. You create one or more GPOs that are associated with the membership group and configure the settings required by the set of computers that must receive each GPO. For example, you can create a GPO named GPO_Membership, as shown in the illustration.

Windows Management Instrumentation (WMI) filters allow a GPO to query the computer for conditions that must be true for the GPO to apply. In this guide, WMI filters are used to query for the version of Windows to ensure that only a GPO designed for that version will apply.

Windows 2000 does not support WMI filters; a computer running Windows 2000 processes any GPO that is in its scope, even if the GPO has a WMI filter that explicitly excludes Windows 2000. For this reason, add computers running Windows 2000 to an exception group, as discussed in the following section.

The membership group contains the user or computer accounts that will receive one of the GPOs associated with the group. The choice of GPO depends on the WMI filters used for checking the version of Windows and any membership in an exception group. For example, you can create a group named GRP_Membership, as shown in the illustration.

The exception group contains the user or computer accounts that might be in the membership group, but must not be allowed to apply a particular membership GPO. Exception groups are assigned deny permissions on the membership GPOs. For example, you can create a group named GRP_Exception, as shown in the illustration.

Exception groups are used for the following reasons:

  • When a computer or user is in two membership groups but must apply only one of the two GPOs. You use one of the membership groups as if it were an exception group for the GPOs that pertain to the other membership group. For example, consider membership groups Group A and Group B, each with a GPO, GPO A and GPO B. Only one of the GPOs must apply to any computer. Members of Group B must receive only the GPO B, even if they are also members of Group A. To do this, treat the Group B membership group as an exception group for Group A. On GPO A, deny Apply Group Policy permissions to Group B. Because deny permissions override allow permissions, members of Group B will only be allowed to apply GPO B.

  • When a WMI filter cannot be used. For example, computers that are running Windows 2000 cannot process WMI filters, and apply all GPOs that are in scope, and for which they have permissions to apply. Placing a group with all computers that run Windows 2000 into the exception group for a GPO prevents them from applying the GPO.

The process for configuring Group Policy based on a membership group occurs in these stages:

  1. Create the membership group in AD DS.

  2. Create the exception group in AD DS.

  3. Create the GPOs, one for each version of Windows that requires different settings to achieve the desired configuration. Remember that often you can copy a GPO for one version of Windows to serve as a starting point for another version. This can save a lot of time if your GPOs contain a large number of settings. For example, Windows Vista and Windows Server 2008 support almost the same collection of settings. You could create the GPO for Windows Vista, configure it, and then make a copy of it for Windows Server 2008. Then you only need to change the few settings that are different between Windows Vista and Windows Server 2008.

  4. Create the WMI filters that allow you to distinguish between different versions of Windows. In theory, you could have five GPOs for a single membership group, one each for Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. Each GPO must have a WMI filter that prevents it from being applied to any version of Windows except the one for which it is designed.

    In the case of Windows 2000, the WMI filter on the GPO for Windows 2000 prevents later versions of Windows from applying the GPO. To prevent a computer that runs Windows 2000 from applying the GPOs for later versions of Windows, you must create an exception group containing the Windows 2000 computers. You then deny Read and Apply Group Policy permissions to that group on all of the GPOs for later versions of Windows.

  5. Grant Read and Apply Group Policy permissions on the GPOs to the membership group. Remove the default entry for Authenticated Users. Deny Apply Group Policy permissions to the exception group. Assign the corresponding WMI filter to each GPO.

    If you have membership groups in which a computer might be a member of more than one membership group, and only one of the GPOs must be applied, then treat one of the membership groups as an exception group for the other.

  6. Link the GPOs to the domain container to make it visible to all of the computers in the domain. The security group and WMI filters limit their application to only the specified set of computers.

  7. Add a small number of test computers to the membership and exception groups. Refresh Group Policy on the test computers and make sure that each receives the correct GPO and applies the correct settings.

  8. After testing is complete, add the production computers to the membership and exception groups.

Community Additions