PolicyPak: Using Item Level Targeting

Inside one GPO, you can have definitions for the same Pak, but use Item Level Targeting features to specify under what conditions the Pak will be delivered. If you love Item Level Targeting with GPPrefs, you’re going to love this feature.

PolicyPak: Using Item Level Targeting video transcript

Hi, this is Jeremy Moskowitz, Group Policy MVP and Founder of PolicyPak Software. In this video, I’m going to show you how you can use PolicyPak’s Item Level Targeting just like the Group Policy Preferences to dictate exactly when and where a particular Pak’s settings should apply.

Let’s go ahead and take a Group Policy Object. I’m going to link it over to my entire domain, which would theoretically affect everybody. If I were to call this “Manage WinZip with PolicyPak” and I click “Edit…” here, if I were to go on the “User” side and go to “PolicyPak/Applications/New/Application,” you can see I’ve got a bunch of Paks ready to go, but for this demo I’m going to talk about “PolicyPak for WinZip 14 and Later” just to keep ourselves focused here.

What I want to do is click on “WinZip 14 and Later.” Let me go ahead and set something simple like “Passwords.”Maybe I want all of my Windows 7 machines to get “7” characters and also lock down the “Cameras” tab. I’ll go ahead and “Disable whole tab in target application” for WinZip.

While I’m here as well, I might as well go ahead and check all these checkboxes and right click and “Hide corresponding control in target application” for this guy and “Disable corresponding control in target application” for this guy. I love showing that part off.

The real point of this demonstration is here in the “PolicyPak” button. We now have an item called “Enable item-level targeting” and also “Edit item-level targeting filters…” Let’s go ahead and select “Enable item-level targeting” and when we do, we get a message making sure that we’re using the latest version of PolicyPak. We’ll just go ahead and say “Yes,” and we’ll then “Edit item-level targeting filters….”

If you’re familiar with the item-level “Targeting Editor” for the Group Policy Preferences, you are going to feel right at home right here. There are gaggles of categories of stuff where you can say, “Only make these settings occur when the following things are true.” You’re welcome to poke around here. I do talk about this in excruciating detail in my popular Group Policy book.

Long story short, I’m going to go ahead and select “Operating System” to say whenever “the operating system is Windows 7,” we’re going to set the “Minimum password length” to “7.” It’s just as easy as that.

Maybe I’ll also create a new item by choosing “New/Application” for “PolicyPak for WinZip 14 and Later” that says we want to do the same thing, but for Windows XP we’ll make it “10” characters. In order to do this, we will “Enable item-level targeting” and we’ll go ahead and specify that this will be for the “Operating System” when it’s “Windows XP.” We’re targeting very specifically for the operating system.

I just want you to see very quickly here all the major categories of things you could do. You could do it based on if it’s a desktop or if it’s a laptop. You could do it if a person is part of a “Security Group” or “IP Address Range” – all sorts of fantastic ideas here.

I’ll go ahead and check all these checkboxes, and this time in XP I will go ahead and “Hide corresponding control in target application” and “Disable corresponding control in target application” for the first two so XP is a little bit different here. Then I will lockdown the “Explorer Enhancements” tab on XP.

I’ll do this one more time, and I will once again make a settings change here for my Terminal Servers. Maybe on my Terminal Servers I want them super secure or whatever it is. Maybe I’ll check these two, and I’ll “Hide corresponding control in target application” for this guy, and I’ll “Disable corresponding control in target application” for this guy. I’m making some settings changes there as well.Actually while I’m here, I’ll also “Disable whole tab in target application” for the “System” tab.

Now that I’m here in this particular item, I want to “Enable item-level targeting” and “Edit item-level targeting filters…” and I want to pick when I am using any “Terminal Session” to set when “the terminal session is Any.”

How can you keep it straight? You’ve got three “WinZip 14 and Later” Paks here in line. How are you going to remember it? Well, it’s pretty easy. You’re simply going to right click over and you’re going to “Edit Description….” In the description field, you’re going to put something useful for yourself. I’ll put “ILT = Win7” for the first one. For the second description, I’ll pick “ILT = Win XP.” For the third description, I’ll put “ILT = Terminal Services.”

Before we even do this, let’s go ahead and see what we can see in the reports. You can see here that the GPMC reports actually show you the “Description” field name right there. You can tell you’ll get these particular settings for that particular line item. You’re welcome to try this on your own.

Now let’s go ahead and go over to my first computer, and we’ll run “gpupdate.” We’ll go over to my XP computer here. We’ll also run “gpupdate.” We’ll go over to our third computer here, and we will also run “gpupdate.”

To see this in action, the first computer is a Windows 7 computer. We’ll go ahead and run “WinZip” and if all goes perfectly what we should see is that we’ve got the “Passwords” configuration strength set to “7,” exactly right. We’ve got the “Cameras” tab grayed out, exactly what we expected. Item-level targeting figured out that this was a Windows 7 machine.

Let’s go over to our XP machine. Do you remember what we specified there? We specified Passwords strength of 10. If we go to “Options/Configuration…,” “10.” You can see what we’ve locked out is different on XP than it was for Windows 7. We used item-level targeting to specify exactly what we wanted to do.

If we go over to our final machine, let’s go ahead and run “WinZipXenApp Published.” What we’ll see here is that this will come down published from the XenAppserver. Because it’s a Terminal Services session, we should see yet another configuration, which we specified as 33.

Let’s go ahead and see if we get that:“Options/Configuration…,”“Passwords” and there you go.Because we’re on a Terminal Services session, we get different values and different lockdowns and we specified a different “Minimum password length.”

That is item-level targeting. If you’ve ever used it using the Group Policy Preferences, you will definitely be at home here. This is a fantastic feature to ensure that what you set is what they get, and you can be very particular and dictate exactly where to get these settings. If you’ve got managers versus developers or help desk versus admins, whatever you want, you can be incredibly targeted, which is why it’s called item-level targeting.

If you have any questions, we’re here for you.

Thanks so very much. Talk to you soon.

Back