Today I came across a server that had been placed in a sub-OU by a colleague simply for the purposes of applying a GPO to it. The GPO in question was configured to make some changes to the BranchCache feature.
If the policy needs to apply to a subset of all servers in an OU, it would be cleaner to apply a WMI filter to the GPO itself rather than limiting the scope of the GPO by explicit security filtering.
Here’s what I did to clean it up:
- Created a WMI filter in GPMC:
SELECT * FROM Win32_ServerFeature WHERE Name like ‘branchcache%’ - Applied the filter to the GPO in question
- Applied the GPO to the OU where the server originally lived
- Moved the server back to the original OU
This same strategy could be used to apply a policy to all IIS servers, all file servers, etc. The possibilities are practically limitless.
You could even filter on something like Win32_Product to apply a specific GPO to Exchange servers, for example.
SELECT * FROM Win32_Product WHERE name = 'microsoft exchange server'
Don’t use Win32_Product. It’s not a good idea, and even Microsoft warn against using it.
Would it be SELECT * FROM Win32_ServerFeature WHERE Name like “%branchcache%”
You have single tics and one %, which I’m not sure is the accurate syntax.
LikeLike
Hi Jeremy,
I normally use the single quotes in PowerShell to test WMI queries, so left them as-is:
Get-WmiObject Win32_ServerFeature -Filter "name like 'branchcache%'"
I verified on two different servers with gpresult that the filter does work correctly with the single quotes.
Good point about the single %, as it’s something people need to be aware of, however I did it on purpose. I’m looking for features that begin with the string “branchcache”, not for ones that contain “branchcache” anywhere within the name.
On Server 2008 R2, the feature names are:
1. BranchCache
2. BranchCache for network files
Regards,
Daniel
LikeLike