Tag Archives: group policies

Group Policy: WMI Filters in a nutshell

Windows Management Instrumentation (WMI) filters is another method that we can use to filter the group policy target. This method is only can use to filter the computer objects and it based on computer attribute values. As an example, WMI filters can use to filter out different operating system versions, processor architecture (32bit/64bit), Windows server roles, Registry settings, Event id etc. WMI filters will run against WMI data of the computers and decide if it should apply policy or not. If its match the WMI query it will process the group policy and if its false it will not process the group policy. This method was first introduced with windows server 2003. 

We can use GPMC to create/manage WMI filters. Before apply filter to a GPO, first we need to create it. Single WMI filter can attach to many GPO buy a GPO only can have single WMI filter attached. 

To create WMI filter, Open GPMC, right click on WMI Filter and click New.


It will open up the new window where we can define the WMI query. 


By clicking on Add button we can define the Namespace and WMI query. As an example, I have created a WMI query to filter out windows 10 operating system runs 32-bit version. 

select * from Win32_OperatingSystem WHERE Version like "10.%" AND ProductType="1" AND NOT OSArchitecture = "64-bit"

In below you can find few examples of commonly use WMI queries,

To Filter OS – Windows 8 – 64bit

select * from Win32_OperatingSystem WHERE Version like "6.2%" AND ProductType="1" AND OSArchitecture = "64-bit"

To Filter OS – Windows 8 – 32 bit

select * from Win32_OperatingSystem WHERE Version like "6.2%" AND ProductType="1" AND NOT OSArchitecture = "64-bit"

To Filter any Windows server OS – 64bit

select * from Win32_OperatingSystem where (ProductType = "2") OR (ProductType = "3") AND  OSArchitecture = "64-bit"

To apply policy in selected day of the week

select DayOfWeek from Win32_LocalTime where DayOfWeek = 1

Day 1 is Monday. 

Once WMI Filter is created, it need to attach to the GPO. To do that Go to GPMC and select the required GPO. Then under the WMI Filtering section, select the required WMI filter from the drop down box. 


Now it is time for testing. Out test query is to target 32 bit windows 10 operating systems. if I try to run it over 64-bit operating system it should not apply. We can check this by running gpupdate /force to apply new group policy and gpresult /r to check results. 


Test has been successful and the policy was blocked as I am running windows 10 – 64-bit OS version. 

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Understanding Group Policy Conflicts

In an organization, there can be many group policies in used. Sometime multiple policies may target same thing. In that case it is important to understand which policy going to win. Group Polices precedence order LSDOU and Group Policy Inheritance decides which policy will win in Active Directory structure.  Let’s look in to this further with an example, 


As per above figure we have two policies inherited to “Users” OU. Policy 01 is Domain linked group policy. Policy 02 is OU linked group policy. Each of the group policy have its own values defined for the three selected settings. Based on the default group policy inheritance, Users OU will have both policies applied. According to LSDOU, Policy 02 will have lowest precedence valve as it is the closest policy for the Users OU. For Password Policy Settings, only Policy 01 has a valve defined. There for even it’s the least preferred group policy, that valve will apply to Users OU. For Windows Firewall Settings, only Policy 02 has a valve. It will also apply to the Users OU. When it comes to the Internet Explorer Settings both policies have values. That makes a conflict. The winning valve of conflicting policy settings will be decided based on LSDOU. There for the wining valve will be from Policy 02

Microsoft allows to change this default policy winning procedure by enforcing policies. When group policy been enforced, it will have the lowest precedence valve regardless where it’s been linked. Another advantage of the enforced policy is, it will apply even OU is blocked inheritance. If domain linked policy been enforced, it will apply to any OU under the domain and it will hold the lowest precedence. If multiple policies been enforced, all of them will take the lowest precedence numbers in order. 

To enforced a policy, load GPMC, right click on the selected group policy and then select “Enforced” option. It will enforce the policy and, change the policy icon with small padlock mark. It allows to identify enforced policies quickly from policy list. 


In above example, Policy 01 been enforced. It is domain linked group policy. In normal circumstances Policy 02 will gets a lowest precedence value when its applies to the Users OU. But when policy been enforced Policy 01 will have the lowest precedence valve. When we look in to winning policy values of the Users OU, For Password Policy Settings it will process the Policy 01 value as it is the only one have value for it. For Windows Firewall Settings, Policy 01 do not have any value defined. So even its been enforced the winning policy setting will be from Policy 02 as it’s the only one have a valve defined. Policy 01 and Policy 02 both have values for Internet Explorer Settings. But enforced Policy 01 is in top of the policy list and winning policy setting will be from it. 

So far, we talked about conflicting policy settings from different level on domain structure. How it will work if it’s in same level? Policies in same level also apply according to precedence order. When policies are in same level the LSDOU process is no use. The winning policy will decide based on its position in the policy list. The order of the list decided based on “Linked Group Policy Objects” list. This list can view using the Linked Group Policy Objects tab in the OU detail window in GPMC


The order of policy in same level can be change using two methods. One method is to enforced the policy. When policy is enforced, it will take the priority from the other policies in the same level. but it will not change the “Link Order” of the policy. The order of the list can change using the up and down buttons in the Linked Group Policy Objects Tab. Link order will match the precedence order of the group policies. 


This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Tools to help with group policy design

Design a group policies for organization some time getting more complex. It can make chaos as some time it very hard to revert back the changes pushed from group policies to workstations. Especially things which involves with registry value changes. So proper design is very important.

There are some tools/features comes GPO management which can help with design, test or troubleshooting group policies. Please note none of these recommended to use as permanent solutions to fix group policy design issues.

Block Inheritance

Any GPO setup on the higher level in GPO structure automatically applies to the lower level in the model. For example the “Default Domain Policy” by default in the highest level in structure. So any changes done on that (which is not recommended) also applies to lower level in hierarchy.

In following screenshot, as you can see the default domain policy is automatically inherited to “Test OU” I have created.


We can disable this inheritance. To do that, right click on the OU which we need to block the inheritance and click “Block Inheritance”.


Once it’s done, we no longer can see the default domain policy which was inherited.


Enforced Policies

Using enforced policy option we can enforce policies to apply on lower level in hierarchy. For example let’s assume we have two polices called Policy A and Policy B in height level in hierarchy. In lower level in hierarchy some OU are blocked policy inheritance so these 2 policies by default will not apply to those two. But we still need to push Policy A for everyone in organization no matter what. So by enforcing the policy we can even push it to the OUs even its use block inheritance.

To enforce a policy, right click on the policy you needs to enforce and click on “Enforced”.


Then we can see in Test OU, it is inherited even its use block inheritance option.


Loopback Processing

As we know we can apply group policies based on the user object or the computer object n active directory. But some special occasions we need to only consider the policies based on computer object. For ex- in a library or public lab, many users may uses the same computer. In that case the computer should stay same for every users. It should not change based on the user policies. It only should use the computer policies which is applied to it.

In group policy management, start to edit the policy you like to configure with loopback processing. Under Computer Configuration\Policies\Administrative Templates\System\Group Policies\ double click on the option “Configure user Group Policy loopback processing mode”.


There are 2 modes we can use with it.


Replace – This will not consider about user polices at all. It will only apply the computer GPO.
Merge – in this mode it will consider both user and computer polices. But if there is any conflict it always uses the computer policies.

If you have any question about post feel free to contact me on rebeladm@live.com

Group Policy Slow Link Detection

In an active directory infrastructure, we use group policies to push security settings and other computer configuration from central location. It can be apply for computer level or user level. In an organization it’s important to maintain proper design on group policies and its hierarchy as complexity, applying order can cause issues on network.

This is very important when you deals with multi-site environment. Because these group policies can be bottleneck to the bandwidth usage between remote sites to the main site. This is something most administrators do not pay attention. I agree it’s depend on the group policies and its use, but for ex- let’s assume we have 10 group policies from to apply users in remote site.  The link between locations are 512kb, just imagine if 100 workstations log on in morning and initiate these group policies how much bandwidth will use? Also what about a user logs from remote location? Can we expect they always get good speed?

Well, Microsoft have an answer for this. Before apply group policies to a workstation it check for the connection speed from distributing server to workstation, by default any link speed below 500kbps Microsoft take as Slow-Link. Once it’s detected a slow-link, it will automatically block some of the group policies. So if you having issues with getting all the group policies on workstation on remote location (can be even in local network if NIC are maxed out due to its activities or virus) this is one place to check.

Here is list of components will process and will not process in slow-link detection.



Administrative Templates


Group Policy Preferences




802.3 Group Policy




IE maintenance


Internet Explorer Zone Mapping


IP Security


QoS Packet Scheduler


Microsoft Offline Files


Software Restriction Policies


Windows Search




Deployed Printer Connections


Disk Quotas


Folder Redirection




Software Installation


How to change this default limit?

We can change the default limit as per our infrastructure needs. To do this,

Log in to the DC server as the domain admin or enterprise admin.

Then Server Manager > Tools > Group Policy Management


Then go to the relevant policy and right click on and edit.


This setting can be change on computer configuration level or user configuration level. Both are located in same path. Policies\Administrative Templates\System\Group Policy

In here there is option called, configure group policy slow link detection


Double click on it to change. By default it is in not configure status. Even if you disable this or not configure it, system still detects any link below 500kbps as slow-link.


Once it is enabled, you can set speeds in kbps (kilobyte per second).


If you set speed to 0 it will disable this feature. Also we can force system to think all WWAN connections as slow links.

If you have any question about the post feel free to contact me on rebeladm@live.com

How to use Group policies in domain envionment ?

In domain environment its really good advantage that administrator can use group policies to apply and control the network. It can be security policies, customizations to system and lot more. There are main reasons why should go with group policies.

1)    Centrally Maintain – the settings only need to be configured in active directory and it can apply for whole network without configuring individual PC. Its apply in the domain level.
2)    Can Prevent users from changing sensitive settings – some users may change settings like firewall, antivirus and proxy settings. Using these policies can prevent users changing this kind of settings.
3)    Rules can be apply for users or Computers – using group policies it gives opportunity to apply rules in PC level or User level. PC rules will be effect registry etc. and user rules will apply for any pc he login in network.
4)    Users will not able to bypass the rules or edit them – without permissions users hard to change these policies in user level. Its hard to bypass as well. So its more secure.
5)    No changes need if new users or computers added – in client side it do not need any changes to do to apply these rules.  As soon as computer added to domain it will get all these rules applied.
6)    Easy to Configure – its comes with lot of predefined rules. So as administrator it’s easy to get done what you need with enabling and disabling those predefined rules.
7)    Even can apply rules based on operating systems versions – some time rules can cause issues in some version of operating systems. So in some rules you can configure only apply them if client PC run with particular windows version. For ex- you can define rule to accept remote desktop connection if client pc runs with windows xp sp2.

Let’s see how we can create group policies practically. According to the requirement we can have some group policies which will be apply for entire environment including parent and child (sub) domains and some are only apply to the child domains (sub). Let’s start with the policies which will be applying to whole environment.

I will be creating these policies from the primary domain controller.

To open the Group policy editor start > administrative tools > group policy management


It will load up the “Group Policy Management” interface.


Since we need to apply/create group policies for sub domains (child domains) we can add those domains to same window which will make the process easy. To do that right clicks on the “domains” and click on show domains.


It will load up the available domains.


In here I have only one child domain setup for demo purpose. Click on “Select all” and click ok to continue.

It will list down the sub domain ( child domain ) in same interface as below.


In here I will be setting up a common group policy which will be including all command policies settings for entire network including parent and child domains. 

To do that expand the ”sprint.local” tree and then right click on it to select option “Create GPO in this domain and link it here”.


It will open up window to define new group policy name etc. here I choose “Sprint Common Policy” as the name. click ok to continue.


There is a reason we create the GPO under here. Because then it will be inherit to all the Organization Units by default as it do like the Default Domain Policy.

Once it done right click on the new policy and click on edit.


It will open up the window which will give opportunity to edit the policy settings.


Strong Password Policy

When deal with computers it’s really important to consider about data safety. Some time you may be lost your laptop on somewhere and someone may be getting in to important data on it that have value. May be someone in office will steal some confidential data you have in your computer or may be even 3rd party. Other than that there is lot of hackers out there trying to hack in to corporate network and gain access to data. So its became really important to consider about computer data security. In any computer system very basic security precaution for this kind of things is to use strong password on your computer logins. Some people we can see even in offices that use very poor passwords for example – date of birth, 123456, abc etc. so these kind of passwords easy to hack and gain access to computer data. With complex or strong password its preventing the possibility to break in to your computer. In Active directory environment this can define by group policy to use strong passwords on their computers. But the same thing can do in a standalone computer.
To open this policy location first load up the group policy edit window as described and then go to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy


This is the location that can configure password policy in computer. To configure this user need to be login with an account that has administrator privileges. The important of this is this policy will apply to all accounts in that computer. So it’s easy to manage.

When we talk about complex password it should be contain Upper case characters, lower case characters, numbers, and symbols. Typically it should be at least 7 characters long.

When implement strong password policy it’s important to discuss with other users as well in organization. Because a complex password means even for users it will be hard to remember. So some people get used to write down the password on paper and keep it on desk. So it’s easy to discover for someone else and gain access to computers easily. So it’s better to discuss and avoid those kinds of issues as well.

Let’s go with each of the options that available in this policy

Enforce Password History

This policy setting means it will determine the number of unique passwords needs to be used before reuse an old password again.  Some users always use the same password for long time. It also security risk so administrator can configure this and prevent that. In domain controller by default its set to password 24. Its better at least to have this set to 10 or upper

Maximum Password Age

This policy setting will decide the validity period of a password before it needs to be change. The value will be the number of days. So after that period the computer will ask user to change the password at the log on. The default value for this is 42 days. It’s better if this can be keep for 30 days’ time.

Minimum Password Age

This policy setting controls the number of days that user must pass before he changing the computer password. The default value for this is 1day. The other thing is if you enabling enforce password history setting this value must be set greater than 0.  And also this value should be below than maximum password age value.

Minimum Password Length

This setting controls the number of minimum characters that should be in a password. Its better if can keep this between 7-14

Password must meet complexity requirements

This policy setting determines the complexity of the new password. If this is enabled it should meet the following minimum requirements
•    Password cannot contain user name or part of user full name that exceed consecutive two characters.
•    Password must be at least 6 characters ( this will change if minimum password length policy setting is specified )
•    Password must have at least 3 of following

•    English uppercase characters
•    English lowercase characters
•    Base 10 digits (0-9)
•    Non-alphanumeric characters

Store passwords using reversible encryption

This policy determines whether passwords need to be store with reversible encryption. It’s important if some application need knowledge of the user’s passwords.

With these settings can apply a complex password policy to system. After configure this need to be log off and log back in to apply changes.
With above settings I have decided to go with following settings



Enforce Password History


Maximum Password Age

30 days

Minimum Password Age

1 Day

Minimum Password Length

8 Characters

Password must meet complexity requirements


Control Client Firewall Settings

This is another good setting that we can use group policy to configure for users. Sometime in network users disabling firewall, modifying them as they wish etc. its actually security risk for organization to go with different level of firewall settings. Using this group policy easily can control the user firewall settings and they will not be able to modify it in there ends.

To enable this policy first need to goto group policy editor window then Computer Configuration > Policies > Administrative Templates > Network Connections > Windows Firewall > Domain Profile


Let’s see some of these rules and what can control with it.

Windows Firewall: Protect all network connections

This is the rule that can enable the firewall in the system. Enabling this rule users will not be able to disable it in there end.

Windows Firewall: Do not allow exceptions 

Using this rule it will drop all the other traffic except the expected traffic.

Windows Firewall: Define inbound program exceptions

In this rule can define the programs that need exception in firewall traffic blocking. In here can specify the program paths.

Windows Firewall: Allow local program exceptions

Some time there can be local programs in computers that need to allow. Enabling this it allow administrator to allow local programs in firewall exception list.

Windows Firewall: Allow inbound remote administration exception

This enables to remotely administrate the firewall settings using Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). With this rule can define the ip address that need to be allowed.

Windows Firewall: Allow inbound file and print sharing exception

This allows the print and sharing service exception in the computers.

Windows Firewall: Allow ICMP exceptions

These give opportunities to define what kind of ICMP messages are allowed.

Windows Firewall: Allow inbound Remote Desktop exception

This allows the traffic for remote desktop connections.

Windows Firewall: Allow inbound UPnP framework exception

This allows the traffic from UPnP messages.

Windows Firewall: Prohibit notifications

This disables the notification from firewall to user

Windows Firewall: Allow logging

This enable recordings of incoming traffic information

Windows Firewall: Prohibit unicast response to multicast or broadcast requests

This prohibits the response to unicast, multicast and broadcast messages.

Windows Firewall: Allow local  port exceptions

This gives opportunity for administrator to allow local ports in PCs. Sometime the need special ports open.

With all above options I am planning to go with following settings



Windows Firewall: Protect all network connections


Windows Firewall: Define inbound program exceptions

Enabled and configure with adding the programs that need exceptions

Windows Firewall: Allow local program exceptions


Windows Firewall: Allow inbound remote administration exception


Windows Firewall: Allow inbound file and print sharing exception


Windows Firewall: Allow local port exceptions


Control Windows Update Settings

In network to keep the system secure it’s important that all the system runs with latest updates and bug fixes. Sometimes users in network adjusting these update settings or some time they even disable it. So controlling it from server end using group policy can prevent such activities and run whole domain under one update policy. In here my idea is to use WSUS server that downloads updates and all other pc plan to configure to get updates from that server.
To open up group policy setting first need to load up group policy mmc then Computer Configurations > Policies > Administrative Templates > Windows Components > Windows update


Let’s see what these rules doing

Install Updates and Shut Down' option is displayed in the Shut Down Windows dialog box

Using this rule can control the install update and shutdown option when you go to shut down the pc.

Install Updates and Shut Down' option is allowed to be the default choice in the Shut Down Windows dialog

In this rule can configure that install update and shutdown option to be the default choice in shutdown dialog box.

Configure Automatic Updates

This is the main rule that can configure the automatic updates settings running on computer. In here can define when to check for updates and whether it need to be installed as soon as downloaded or not. This is similar to settings that we can chose in windows update configuration in any computer.

Specify intranet Microsoft Update service location

This is important that environment that use Microsoft WSUS server to do updates on network. In this rule can define the access url of that WSUS server to download updates.

Enable Client side Targeting

This is also applying to intranet update services. In here when configure this it will check WSUS server and see what group this pc is relates and pass the relevant updates.

Reschedule Automatic Updates Scheduled installations

Specifies the amount of time for Automatic Updates to wait, following system startup, before proceeding with a scheduled installation that was missed previously.

No auto-restart for scheduled Automatic Updates installation

Using this rule can prevent automatic system restart after windows updates.

Automatic Updates Detection Frequency

This rule defines how long have to wait before check for available updates.

Delay Restart for Scheduled installation

Using this rule can define how long it should wait after installing updates to restart.

Re-Prompt for restart with Scheduled installation

Specifies the amount of time for Automatic Updates to wait before prompting again with a scheduled restart.

Allow non-administrators to receive update notifications

This policy allows non-administrators to receive the updates based on the policy configured before installations.

Based on those rules I like to go with following configuration



Configure Automatic Updates

Enabled and set to check and install update in every day at 12 pm
( Company Lunch Hour )

Specify intranet Microsoft Update service location

Enabled and define the intranet server location

Allow Automatic Updates immediate Installation


Re-Prompt for restart with Scheduled installation


Enabled and configured it to remind in every 4 hour time

Prevent Software installation on user side

It’s important to prevent users in network installing applications on PCs. Because it can cause system issues, security issues for the organization. With preventing installations users have to contact administrator to do any software installation and they will review it and permit for the installation or install it them self.

To go in to this group policy setting you have to load group policy mmc and then Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Installer


In this list I will take few of them that we will need mostly configuring the policies.

Disable Windows Installer

This rule can use to disabled using windows installer to install any kind of applications.

Always install with elevated privileges

It will let windows installer to use system permissions always when it try to install application.

Prohibit Patching

This prohibits installing software patches using windows installer.

Disable IE Security prompt for Windows installer scripts

This rule will allow windows installer to install scripts from IE without prompting to user.

Allow Admin to install from terminal server session

This allow terminals service administrator to install the application by login remotely. This is important rule for support.


This rule defines what type of events it should log in event viewer during use of windows installer.

Prohibit removal of updates

This rule will prevent users with removing updates related to windows installer.

Based on above rules I have come up with following rule set for the network



Disable Windows Installer


Prohibit Patching


Allow Admin to install from terminal server session


Prohibit removal of updates




Now we have built up the sample common policy which will apply for the entire network. But in parent-child domain environment by default child ( sub ) domain will not apply its parent’s GPOs. There is reason for that. Some time by the design, child domains may be in different geographical locations which connect with the parent domain using slow links. There for it gives opportunity to administrator to decide how to apply policies to child domains. 

There is few ways we can apply this.

1)    Backup GPOs created on parent domain and then import it to child domain. This way there will not be any traffic comes from child domain to parent domain to get GPO settings
2)    Link the GPO in parent domain to the child domain. This will help to have up to date settings among entire network. But this will only beneficial where do not have slow connection links between parent and child domains.

According to the given scenario we can go for the option 2 which will link policies created on parent domain in to child domain. Child domains connect with parent with high speed LAN links so there want be issue with bandwidth usage.

To do that in group policy management window right click on the “sales.sprint.local” tree and click on “link an existing GPO”.


Then it will open new pop up and there from “look in this domain:” drop down select “sprint.local” and in group policy objects select “Sprint Common Policy”, then click ok to continue.


Then in group policy management windows you can see it’s linked properly under child domain too.