Switching from WMI to Security Filtering

Question

Currently we have several GPOs linked on top of 200+ computer objects, which are getting filtered via WMI (query for operating system).

There seems to be some kind of race condition, as this GPOs sometimes get applied and sometimes they dont.

Anyway... we could trace this back to WMI instabilities why I would like to switch to Security filtering based on AD groups (ServerW2012, ServerW2008 and so on).

My migration path looks as follows:

1) Create AD groups and add computer objects accordingly

2) Add AD groups to ACLs of respective GPOs and remove "Authenticated Users"

3) Remove WMI Filter

The GPOs are making use of several CSEs, synchronous/asynchrous, Securits CSE, and so on. I am concerned about stability, because if this change goes wrong 200+ computer objects would be affected.

Is this a feasible migration path? Any experiences to share? Thanks

Answer 1

1. Create AD groups and add computer objects accordingly.

2. Add AD groups to ACLs of respective GPOs and remove "Authenticated Users" Apply Group Policy permission.

3. The computers would need to be restarted or klist purge run to refresh the computer group memberships.

Is there a way to refresh computer group membership without rebooting?

4. Link new group policy.

5. Remove WMI Filter.