Best practices to apply GPO to only one computer in an OU

MS Lee 61 Reputation points
2020-11-09T01:34:30.317+00:00

Hi All,

I am currently running 2012R2 DC in my environment. I am going to add on another 2016 or 2019 as the 2nd DC. I do need to apply some setting via GPO (as requested by Security Team) on the new DC. There is an existing GPO for the 2012R2 but some of the settings are not applicable to 2016/2019.

In this case, I will be creating a new GPO. Knowing the new DC will appear in the Domain Controller OU once I promoted it, it will definitely inherited the existing GPO. My understanding is, never never touch the Domain Controller OU and never create sub-OU within.

Appreciate any advise on how to avoid exisitng GPO from applying to new DC and also to apply new GPO for the new DC only.

Thank you in advance.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,857 questions
Accepted answer
  1. Hannah Xiong 6,231 Reputation points
    2020-11-09T03:15:41.743+00:00

    Hello,

    Thank you so much for posting here.

    If we want the policy to be scoped to a group of DCs and not All DCs in the organization, the security filtering can be considered.

    For example, we can give the authenticated users only Read permission, and add the group (which you want to apply the policy) with Read and Apply permission. Then the policy will be applied to the group.

    Assign Security Group Filters to the GPO:
    https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo

    Or we could consider about the WMI filtering. To make sure that each GPO associated with a group can only be applied to devices running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO.

    Create WMI Filters for the GPO:
    https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo

    38127-1.png

    As mentioned, we are going to add another 2016 or 2019 as the second DC. The minimum requirement to add a Windows Server 2019 Domain Controller is a Windows Server 2008 functional level. The domain also has to use DFS-R as the engine to replicate SYSVOL. So before we add 2019 DC to the existing domain, we need to ensure the functional level is at least Windows Server 2008, and the SYSVOL folder replication type is DFSR.

    Besides, please kindly check DC health by running Dcdiag /v and check AD replication by running repadmin/showrepl and repadmin /replsum before joining the new DC.

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. MS Lee 61 Reputation points
    2020-11-17T00:39:16.96+00:00

    Hi Hannah,

    Appreciate the provided suggestion. WMI filters works well for me. Thank you.

    0 comments