Identify non-domain remote clients with Item-Level targeting

Question

I would like to apply a group policy preference setting (to deploy a shared printer) only if a user is connecting to a RDSH server from a non domain-joined client computer. Many of these clients will come in through an RD Gateway Server.

Item-level targeting looks promising, particularly the Terminal Session item's Client Name parameter. But the connecting clients are users' home computers over which I have no control of the names. Further this parameter doesn't include the client's domain, so using "IS NOT mydomain" isn't an option.

How can I apply my GPP setting only when the client computer from which the user is connecting to the RDSH server is not domain-joined?

I think you will need 802.1x/Network Access Protection for this. — Ryan Ries, May 14 '15 at 21:10
I'm all ears! How would 802.1x/NAP help me distinguish non-domain clients for purposes of applying GP? — I say Reinstate Monica, May 14 '15 at 23:15

score 0 · Accepted Answer · answered Aug 08 '15 at 02:25

If your non-domain clients connect from an IP address that is not in your domain network's IP address range, then you can do the following to apply a Group Policy Preference Item to a user's session when he connects from a remote, non-domain workstation.

Link your Group Policy Object to a WMI filter that is only true when evaluated on the RDSH server (e.g. use a query like SELECT * FROM Win32_ComputerSystem WHERE NAME='RDSERVER')
On the Group Policy Preference Item to be applied to non-domain remote sessions, enable Item Level Targeting, then:
1. Add the IP Address Range item
2. Specify Is Not in Item Options
3. Provide the complete IP address range of the domain network
  
  Note: You can add the IP Address Range item multiple times to exclude several IP address ranges if the domain network uses multiple, non-contiguous IP subnetworks.

Identify non-domain remote clients with Item-Level targeting

1 Answers1