Apply Item-Level Targeting Outside Domains & GP Preferences

What is Item-Level Targeting?

Item-Level Targeting lets you define how Group Policy settings apply to Active Directory users or computers by setting conditions. You perform the process by first selecting conditional logic statements like AND, OR, and NOT. You then pair those statements with target objects like operating system, security group membership, and IP range. First introduced in Windows Server 2008, Item-level Targeting came as an integrated part of Group Policy Preferences. Check out the targeting editor example below. You can see that computer or user configurations must meet all conditions for the policy to apply.

Example of Group Policy Targeting Editor and How to apply target objects


Windows networks were much easier to manage before the demands of the mobile workforce became a priority. Previously, the enterprise only consisted of desktops located on premises. By using just an ethernet connection, those anchored desktops would interact with servers that stored resources. Users logged onto their desktops to retrieve resources of which they had access.

Item-level Targeting vs. Native Group Policy Targeting

Before Item-level Targeting and Group Policy Preferences, Group Policy only had three delivery options:

  • Scope (Site, Domain, OU)
  • Security Filtering (Who is and who is not going to get it)
  • WMI filters (something about their machine.)

In the modern era, enterprises require more target objects than just OUs and group membership. Not all workers fit into one of those limited definitions. With Item-level targeting, you can target users by device type, operating system, and IP address range.

Limitations of Item-Level Targeting

Item-Level Targeting is a powerful feature that gives you more control over your desktop environment. Sadly, Item-Level Targeting is only available for Group Policy Preferences settings. Meaning, policies made from the 4000+ Administrative Templates can’t utilize this granular feature. Instead, you need to make a new Group Policy Object (GPO) for just about every situation. Furthermore, you need to use the built-in scoping and filtering and hand-crafted WMI filters.

Extend Item-Level Targeting to Nearly Any Target

At PolicyPak, we say “why limit a good thing?” Why not give customers more of what they want? That’s why we integrate Item-Level Targeting throughout our suite of products. By integrating Item-level Targeting into the product, we give you the granular control needed to manage today’s modern environments.

You may be disappointed that the standard version of Windows Server doesn’t offer Item-Level Targeting for Windows 10 ADMX Templates. Fortunately, PolicyPak overcomes this limitation. Our Administrative Templates Manager gives you the ability to create policies utilizing the Group Policy Editor. PolicyPak hooks right into Group Policy Editor and uses the same approach of delivering settings through GPOs. As always, the process starts by creating a policy.

Creating a Administrative Templates Policy in PolicyPak before applying Item-level targeting


From there, you choose which settings to configure. In the example below, we are enabling remote control of Remote Desktop Sessions. After configuring your desired settings, click the Item-Level Targeting button at the bottom left-hand corner of the screen. This action brings up the same Item-level targeting interface we showed you earlier.

Example of creating a policy fore remote control of remote desktops

Use Item-level Targeting for Non-domain Joined Computers

Having an effective way to manage non-domain joined computers is critical for modern enterprises. Alas, Group Policy Preferences only offers Item-level Targeting for domain-joined computers. The feature is not available for non-domain joined computers. Fortunately, PolicyPak Cloud Edition overcomes this inherent shortcoming. It enables you to deliver real Group Policy Preferences to any Windows 10 device connected to the internet. Furthermore, PolicyPak lets you use Item-level Targeting to deliver PolicyPak and Group Policy settings to non-domain joined machines.

Use Item-level Target for MDM Enrolled Devices

PolicyPak also allows you to deliver settings through your MDM service using Item-level targeting. PolicyPak MDM Edition allows you to export real Group Policy and/or PolicyPak settings and integrate them directly into MDM solutions like Microsoft Intune, VMware Workspace ONE and MobileIron. After all, the power of Item-Level Targeting shouldn’t be restricted to just traditional on-premises machines.

Only Apply Your Policies to Applicable Targets

We’ve talked about PolicyPak settings, but what are they? Well, PolicyPak allows you to deliver and enforce settings for many use cases.

Application Based Targets

PolicyPak Applications Manager lets you configure settings for hundreds of applications. You can manage settings for popular applications like Adobe Reader, Java, Firefox, Flash, and hundreds more.

Browser Based Targets

PolicyPak Browser Router lets you end the browser war once and for all. You can define the default web browser for all users. This way, they don’t receive annoying default browser prompts. It also gives you the ability to pair websites with designated browsers. For example, it makes sense that G Suite applications work best in Chrome. Policies created for specified applications only target endpoints that contain the application. Here’s where the Item-Level Targeting File Match condition comes into play. The policy below ensures that online G-Suite applications are only open in Chrome. Although a user may open browsers like Edge or Firefox, PolicyPak forces them to close and reopens in Chrome. Of course, this policy is irrelevant for computers that don’t have Chrome installed. PolicyPak only applies Item-level targeting when there is a file match for the Chrome executable.

Example of Item Level Targeting Editor in PolicyPak for Browser Based Policies


Item-Level Targeting in PolicyPak Demo

Here’s a quick demo of how Item-level Targeting in PolicyPak works.


If you want to apply Item-level Targeting to custom policies, native Group Policy settings or to non-domain joined computers, try PolicyPak free.

Sign Up for a Free PolicyPak Trial Here

Jeremy Moskowitz

Founder & CTO, Microsoft MVP in Group Policy, Enterprise Mobility, and MDM

Jeremy Moskowitz founded PolicyPak Software after working with hundreds of customers with the same problem they couldn’t manage their applications, browsers and operating systems using the technology they already utilized.

Ready to Get Started? Register for Our Demo.

Our PolicyPak Demos explain everything you need to know to get started with the software. Once you've attended the demo, you'll be provided a download link and license key to start a free trial.