Active Directory Group Policy implementation becomes tricky when you need surgical precision targeting. The standard application methods (linking to OUs, user/computer targeting) create overreach scenarios where:
- User-targeted GPOs affect all machines the user accesses
- Computer-targeted GPOs affect all users of that machine
- Combined targeting creates exponential policy spread
The most robust method combines security filtering with WMI filters. Here's how to implement it:
# PowerShell to verify targeting parameters
$user = "DOMAIN\DumbGuy"
$computer = "DOMAIN\DumbGuysComputer$"
# Create WMI filter query
$WMIFilterQuery = @"
SELECT * FROM Win32_ComputerSystem
WHERE Name = '$($computer.Replace('$',''))'
AND UserName = '$user'
"@
- Create the GPO in Group Policy Management Console
- Set Security Filtering:
# Remove Authenticated Users # Add specific user and computer accounts Set-GPPermission -Name "RestrictiveGPO" -TargetName "DOMAIN\DumbGuy" -TargetType User -PermissionLevel GpoApply Set-GPPermission -Name "RestrictiveGPO" -TargetName "DOMAIN\DumbGuysComputer$" -TargetType Computer -PermissionLevel GpoApply
- Create WMI Filter:
# WMI Query Language (WQL) filter "SELECT * FROM Win32_ComputerSystem WHERE Name LIKE '%DumbGuysComputer%' AND UserName LIKE '%DumbGuy%'"
For non-WMI environments, use Group Policy Preferences with item-level targeting:
<Item>
<Target>
<And>
<UserName Value="DOMAIN\DumbGuy" />
<ComputerName Value="DumbGuysComputer" />
</And>
</Target>
<RegistrySettings clsid="{...}">
<!-- Your registry modifications here -->
</RegistrySettings>
</Item>
Always validate with gpresult /h report.html and check:
- Applied GPOs section for your policy
- Security filtering effective permissions
- WMI filter evaluation result
WMI filters add login overhead. Best practices:
- Limit total WMI filters per GPO
- Use simple queries when possible
- Consider scheduled tasks for non-critical policies
In Active Directory environments, Group Policy Objects (GPOs) typically apply to either users or computers broadly. However, there are scenarios where you need precise targeting - applying settings to just one user when they log on to just one specific computer.
Traditional approaches fail because:
- User-based GPOs apply to the user across all devices
- Computer-based GPOs affect all users on that machine
- Combining both scopes actually widens the application
Group Policy Preferences (GPP) with item-level targeting provides the granular control we need:
<GroupPolicyObject>
<Targeting>
<And>
<User>DOMAIN\DumbGuy</User>
<Computer>DOMAIN\DumbGuysComputer$</Computer>
</And>
</Targeting>
<Settings>
<!-- Your specific policy settings here -->
</Settings>
</GroupPolicyObject>
Here's how to set this up:
- Create a new GPO in Group Policy Management
- Navigate to User Configuration → Preferences → Control Panel Settings
- Add your desired preference item (Registry, Shortcut, etc.)
- Click the "Common" tab and check "Item-level targeting"
- Click "Targeting" and add both user and computer conditions
For more complex scenarios, WMI filters can be used:
SELECT * FROM Win32_ComputerSystem WHERE Name = "DumbGuysComputer"
AND EXISTS (
SELECT * FROM Win32_LoggedOnUser
WHERE Antecedent = "Win32_ComputerSystem.Name='DumbGuysComputer'"
AND Dependent = "Win32_UserAccount.Domain='DOMAIN',Name='DumbGuy'"
)
Always test your targeted GPOs:
- Run
gpresult /ron the target computer - Check Event Viewer for policy application events
- Use
rsop.mscto verify applied settings
Watch out for these issues:
- Computer account names must include the $ suffix
- User principal names (UPNs) might behave differently than DOMAIN\User formats
- Slow link detection might prevent GPP from applying