Jul 25 2019 08:10 AM
I want to apply a filter for specific Domain Controller OS's for a slow rollout of some security settings. Notably, I want to target server 2019 OS's and not others. I found this in my travels:
I don't mind applying filtering with groups, but I've never added DC's to groups before; I've always applied WMI filtering before. Would there be any issues with adding DC's to a group and applying a policy to them?
I'm just checking to see which is best practice, WMI or Group Filtering, and also, what is the recommended way to create a WMI filter for Server 2019?
Jul 26 2019 02:11 AM - edited Jul 26 2019 02:14 AM
@Lynn Towle Here is a WMI-Filter that specifically targets Windows Server 2019 Domain Controllers only:
Select BuildNumber from Win32_OperatingSystem WHERE BuildNumber = 17763 AND BuildNumber LIKE "%[123456789][0123456789][0123456789][0123456789][0123456789]%" AND ProductType="2"
If you should prefer WMI filtering or security group filtering is a design decision you should evaluate yourself for your environment.
If you have only Server 2016 and Server 2019 domain controllers you could use the Server 2019 DC baseline for both and not filter at all. I can't find any setting in the Server 2019 baseline that would pose a problem with Server 2016.
If however you want or need to filter and use different baselines, personally I would use security filtering instead of WMI filtering. Reason being that WMI-Filters are much slower and you can use the security groups you create to collect different servers for other things as well. WMI-filters are only good for group policies and have sometimes a use in scripting, security groups on the other hand can be used for many different things (and are faster for gpo's). ;)
Jul 26 2019 04:23 AM
Jul 26 2019 04:25 AM