This is a very common question and one that I would say all companies migrating to Windows 7 has experienced. The scenario is how do we handle user group policy settings when we have multiple operating systems such as Windows XP and Windows 7 or in the future also introduce Windows 8?
First I strongly recommend that you do not reuse the user configuration for Windows XP for Windows 7. Group policies tend to grow over time and at most customers I have encountered a lot of rubbish in the old configuration. Starting over and migrating only what is needed minimize the risk for problem and makes the configuration slicker and more easy to manage in the long run.
But how do we make sure that users get one configuration when they log in to for instance Windows XP and another configuration when they log in to a Windows 7 or Windows 8 machine? Well, let’s have a look at the options including pros and cons followed by recommendations from the field.
1. Security group filtering
- Pros:
– Require no change in OU structure/move of users. - Cons:
– Requires a lot of management and make it hard to administer.
2. Separate users into a new and old OU
- Pros:
– Easy to do if you have very few users and no dependencies to other services or applications. - Cons:
– Not a manageable solution in an environment with many users.
– There are often apps or services that rely on the users being in a certain OU which is making it hard to move users without affecting other services.
3. WMI filters
- Pros:
– Keep the users in the OU they are today not affecting other services or apps that rely on users being in a certain OU.
– A longterm investment in making it easy to introduce new operating system versions.
– Quick determination (WMI is often known to be real slow but this particular query is not performance intensive). - Cons:
– Need changes for existing environment, i.e. for instance Windows XP user configuration.
– Could make group policies not being applied due to problems with WMI repository or related services.
4. Loopback processing
- Pros:
– Keep the users in the OU they are today not affecting other services or apps that rely on users being in a certain OU.
– Very reliable solution. - Cons:
– If not Replace mode is used you need to handle current configuration.
– Might become a mess to troubleshoot and maintain if naming and config is not done consistent and clear.
Recommendations from the field
In my professional opinion the only real alternatives are WMI filters or loopback processing and sometimes I recommend WMI filters for separating user settings depending on what operating system they are logging in to and sometimes I recommend loopback processing. It depends on the environment and needs for the customer. Many times moving the user accounts around is not an alternative but consider that a very good alternative if possible to accomplish.
How do I implement it in my environment?
1. WMI filters
In the Group Policy console you create multiple WMI filters for for instance Windows XP and Windows 7. You then set each WMI filter respectively on each GPO containing user settings for each operating system. NOTE: Always test it out before applying this configuration to your existing environment. Also note that this does not affect performance to any noticeable amount of time.
Windows XP:
SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "5.2%" AND ProductType ="1"
Windows 7:
SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "6.1%" AND ProductType ="1"
Windows 8:
SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "6.2%" AND ProductType ="1"
Basically the version is the OS version as we know it and the ProductType=1 means that it is a client operating system.
So you will end with for instance one GPO named “User Configuration – Windows 7” which have the WMI filter for Windows 7 machines set and one GPO named “User Configuration – Windows XP” which have the WMI filter for Windows XP set.
2. Loopback processing
A prerequisite for using loopback processing is that you keep computers in separate OUs, for instance XP computer accounts in one OU and Windows 7 computer accounts in another OU.
You then create GPO objects in the OU for Windows 7 in our example and configure the user settings there. As I think you should always separate Computer and User configuration GPO:s I would say that you in a Computer configuration policy in that same OU set this setting for the user settings to be applied when users log into Windows 7 machines:
Policies – Computer configuration – Administrative templates – System – Group Policy and there set “User Group Policy loopback processing mode” to Replace or Merge, depending on what you want to achieve and how you want to handle your current configuration. Replace mode is recommended as you will have a hard time maintaining and troubleshooting the configuration otherwise.
Done! When users log on to your Windows 7 machines they will get the user settings you have defined in the user configuration GPOs located in the Windows 7 machines OU in our example.