How can use Item Level Targeting to apply a Group Policy Preferences or PolicyPak item when the user is NOT a member of Domain Admins and also is not a member of the local Admin group?
You might want to set a configuration item such that ONLY regular users and NOT “admins” are affected by a Group Policy Preferences or PolicyPak setting.
For example, perhaps you wish to “Prevent access to the command prompt” for all standard users, like what’s seen below, and you want to use Item Level Targeting to do it.
To clarify up front, Item Level Targeting is a Microsoft technology provided as part of the their Group Policy Preferences CSE for Group Policy.
PolicyPak utilizes this ability to filter based on criteria, but the underlying engine is developed by MS themselves. What that means is that its not our code and so sometimes there are behaviors related to ILT that we either are not aware of or have not yet tested.
Also, to better understand the challenge, here are some facts:
And so with all that said, this is the combination that appears to work:
Three important things to note above
The catch with the last item is that since there is no local Administrators group on a DC, a DC cannot see that group to add it, you must install the GPMC and the PP Admin Console on a regular machine (that is a member of the domain, so like a test W10 VM for example), edit the GPO and do the 3 dots, and then select the Computer name as the source, to capture the Administrators group that way.
You only have to do this once to get the group and its SID, but it just can't be done on a DC.
So after Clicking the 3 Dots….
Permalink : click here