Apply Security Group Filters and WMI Filters to the GPOs

Applies To: Windows Server 2008

Use this procedure to assign the WMI and security group filters that you created earlier to restrict each GPO to the computers in the membership group that are running the version of Windows for which the GPO is intended.

Membership in Domain Admins is the minimum required to complete this procedure.

To assign the security group and WMI filters to your GPOs

  1. Log on to your domain controller as a member of the Domain Admins group.

  2. Click Start, and then click Server Manager.

    The Server Manager console opens.

  3. In the navigation pane, expand Features, expand Group Policy Management, expand Forest: your forest name, expand Domains, and then expand your domain.

  4. For each of the GPOs that contains settings for a different zone and version of Windows, perform the following steps:

    1. Remove the default security group filter that allows any computer to apply the GPO. In Security Filtering, click Authenticated Users, and then click Remove.

    2. Add a security group filter that permits only accounts in the membership group to apply the GPO. In Security Filtering, click Add, enter the membership group account name that you created for the zone, and then click OK.

    3. Add a security group filter that prevents members of an exception group from applying the GPO. Click the Delegation tab, click Advanced, click Add, enter the exception group account name, and then click OK. In the Group or user names list, select the group you just added, in the Permissions for **Exception Group Name list, clear all of the **Allow check boxes, select the Deny check boxes for Read and Apply Group Policy, and then click OK.

    4. Assign the WMI filter that limits the GPO to only computers running the specified versions of Windows. Click the Scope tab, and then in the WMI Filtering list, select the WMI filter you created earlier. In the confirmation dialog box, click Yes.