Item-Level Targeting with Group Policy Preferences
Item-level targeting is a one of the feature of Group Policy preferences that allows preference settings to be applied to individual users and/or computers within the scope of the Group Policy Object (GPO) that contains the preferences. Policy settings can also be filtered, but there are several important differences between item-level targeting of preference settings and the filters that can be used with policy settings:
- Policy settings within a GPO can only be filtered on an all-or-nothing basis: either the entire GPO will apply to a target or it won’t. Item-level targeting allows individual preference settings within a GPO to be applied or not, based on specified criteria. Different preference settings can be applied to different groups of targets.
- Policy settings are filtered using either security filters or WMI filters. Security filters are static and not very granular. WMI filters are dynamic and can be very granular, but the WMI Query Language in which they are written is complex and has a steep learning curve. But Item-level targeting provides a great deal of granularity and an intuitive user interface for constructing filters.
Item-level targeting allows an administrator to specify a list of conditions that must be met in order for a preference setting to be applied to a user or computer object. The conditions in the list are connected by Boolean AND or OR operators. When the list is evaluated, if the result is true, the setting is applied; if the result is false, it isn’t.
A wide variety of criteria are available for targeting settings to users and computers, including the following:
- User and/or computer name
- Security group membership
- Operating system version, edition, and service pack level
- Date, time and/or day of the week
- Presence or absence of a file or folder
- Network connection type, MAC address, and/or IP address
The above list is far from all-inclusive. There are 27 types of targeting criteria available as of this writing, and many of the types contain multiple individual items.
To configure item-level targeting, perform the following steps:
- In the Group Policy Management Console, open the Group Policy Objects folder and locate the GPO containing the appropriate preference settings.
- Right-click the GPO and select Edit.
- In the Group Policy Management Editor, locate the preference setting that will have item-level targeting applied.
- Right-click the preference setting and select Properties.
- In the Common tab of the properties window, check the box labeled Item-level targeting and click the Targeting… button.
6. The Targeting Editor will open, as shown below.
7. In the Targeting Editor, click New Item and select the type of targeting item you wish to create from the list that appears. Below are few samples.
8. The resulting options will depend on what type of item was selected. The following example shows the options for targeting based on operating-system version:
9. The menu options in the Targeting Editor are as follows:
- Clicking New Item will add another targeting item to the list of conditions. By default, items are joined with a Boolean AND, but this can be changed.
- Clicking Add Collection adds a collection to the list. Collections are a means of grouping items logically, much like adding parentheses around a set of conditions. To add an item to a collection, either right-click the collect and select Add Item or drag an existing item into the collection.
- The Item Options menu allows you to select whether an item or collection should be connected to the list with an AND or OR operator and whether it should include a NOT operator. You may also add a label to an item or condition using this menu.
10. Click OK to close the Targeting Editor when done adding items to the list.