Item-level Targeting with Group Policy Preferences (GPP)

Item-Level Targeting (ILT) is a relatively recent development in the world of managing Active Directory, and often overlooked when implementing policies in the domain. Available only within a Group Policy Preference (GPP) item, an ILT allows further definition of a policy setting to make the policy even more granular than before. ILT also takes advantage of Boolean operators to apply attributes to logical questions, such as “If Value = Foo, Not Value = Bar”.

Scenario: You want to assign a scheduled task to all computers in the domain, except those in the “Management” and “Admin” Organizational Unit (OU).

Create a GPP and link it directly to the OUs that aren’t Management or Admin, and that would work – for now. However, if the domain is updated with new OUs, the policy would then have to be linked to the new OU, creating the need to write up a change control requirement, and so on. Too many details and steps to worry about. ILT eliminates the need for that type of oversight.

Here’s how to use ILT to make this a “set it and forget it” GPP.

Step 1: Get to the ILT options for the GPP item.

Right click the scheduled task and choose Properties.

Then click the Common tab and check the box next to Item-level targeting to enable the “Targeting…” button.

Step 2: Create a new ILT filtered by OU

Within the ILT screen, create a targeting item. The objective requires that Management and Admin OUs do not receive this policy, so choose “Organizational Unit” from the New Item drop down menu.

Next, enter the path to the OU that should be filtered. Here is a generic “DC=domain, DC=local” domain (domain.local) as an example. If unsure how to express an OU by its Active Directory path, use the browse (…) button next to the input box and search for the OU using the GUI.

A plain English version of the targeting item appears at the top:

"the organizational unit the computer belongs to is OU=Management,DC=domain,DC=local or one of its descendants"

Two things to note about this:

  1. The statement reads the exact opposite of what we want – instead of filtering out the Management OU, we’ve now explicitly stated that we want to target it
  2. The last portion states “or one of its descendants” because the “Direct member only” box was not checked. If you only want the parent OU to be targeted, check that box.

Step 3: Create an additional targeting item and reverse the selection logic

Create an additional targeting item that specifies the Admin OU. The default Boolean logic is “AND”, meaning both the targeting items must be true to successfully apply the GPP to the object. To reverse the selection logic, choose each targeting item and choose “Is Not” in the Item Options menu.

The result is two targeting items that state “the organizational unit the computer belongs to is not” the OU path to both Management and Admin.

The GPP can now be applied to a higher level parent OU, and the Management and Admin OUs will not be affected. New child OUs created later will also be included in the policy. Using modular GPOs/GPPs with descriptive names makes identifying the parent OU ILT policies easy when creating new child OUs.

This is just one example of a relatively simple and direct use of ILT. However, there are many powerful features at your disposal, such as checking the OS of the computer, battery status, file/folder matching (including versions, great for updating software), and more.