Today I came across a server that had been placed in a sub-OU by a colleague simply for the purposes of applying a GPO to it. The GPO in question was configured to make some changes to the BranchCache feature.
If the policy needs to apply to a subset of all servers in an OU, it would be cleaner to apply a WMI filter to the GPO itself rather than limiting the scope of the GPO by explicit security filtering.
Here’s what I did to clean it up:
- Created a WMI filter in GPMC:
SELECT * FROM Win32_ServerFeature WHERE Name like ‘branchcache%’
- Applied the filter to the GPO in question
- Applied the GPO to the OU where the server originally lived
- Moved the server back to the original OU
This same strategy could be used to apply a policy to all IIS servers, all file servers, etc. The possibilities are practically limitless.
You could even filter on something like Win32_Product to apply a specific GPO to Exchange servers, for example.
SELECT * FROM Win32_Product WHERE name = 'microsoft exchange server'