3

(I should preface this by saying I recently shifted jobs and have come from a much smaller company with a mostly linux environment to a larger company with a very standard windows server environment, and I'm still catching up a bit when it comes to Active Directory and Group Policy)

What is the best way to create a separate GPO for Win7 machines and Win10 machines? Basically, we are trying to manage the 'slider at the bottom' UAC setting but as we've discovered that's quite different on Win7 and Win10. From what I can tell there isn't a 'native' way to detect OS in Goup Policy. We already have our Computers organized by department in Active Directory. I'm not sure if I can create a second organization unit and have the computer object for PCxxx exist in two places.

The best idea I've come up with seems extremely cumbersome, and that is to delegate the two Policies manually and break the down per computer. This seems really cumbersome in Group Policy Management itself though, is there a better way to do this, or a better way to solve my overall issue?

Sam K
  • 506
  • 5
  • 21
  • Could you point to the exact setting? `Computer Configuration - Administrative Templates - etc...` – duenni May 22 '17 at 14:09
  • Yes, as far as I can tell when you move the UAC slider to the bottom in Win 7 `Computer Config > Policies > Windows Settings > Security Settings > Local Policies/Security Options > UAC > Run All administrators in Admin Approval Mode` is disabled, where in Win 10 having the UAC slider at the bottom this option is still Enabled (disabling this option appears to disable native Windows Apps like Calc and Edge). – Sam K May 22 '17 at 14:14

1 Answers1

4

You can do this by creating two OS-specific GPOs and using WMI filters to assign them to the appropriate machines.

One GPO will include the settings for Windows 7, and have a WMI filter that ensures it only applies to machines running Windows 7. Likewise, the second GPO will include the settings for Windows 10, and have a WMI filter that ensures it only applies to machines running Windows 10.

Microsoft's Docs site has a decent guide to creating WMI filters that check the installed OS version.

In short, your WMI query for Windows 7 will be:

select * from Win32_OperatingSystem where Version like "6.1%" and ProductType="1"

And your WMI query for Windows 10 will be:

select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1"
SamErde
  • 3,409
  • 3
  • 24
  • 44
  • Ahh! Wonderful, this looks like it'll set me on the right track! Thank you! – Sam K May 22 '17 at 14:39
  • 1
    Just wanted to add an aside in case anyone else stumbles upon this post. the Win7 version is 6.1. In addition to the article @SturdyErde linked this has a good list of OS filters https://social.technet.microsoft.com/wiki/contents/articles/31701.windows-wmi-filter-strings.aspx – Sam K May 23 '17 at 13:38
  • You're absolutely right! Rushing == mistakes. Answer fixed. – SamErde May 24 '17 at 01:42