[gptalk] GPO WMI Script filters - can it exclude users?

  • From: "Mills, Mark" <Mark.Mills@xxxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 15 Aug 2006 16:36:35 -0500

I may be going about this the wrong way.  I'm getting the feeling that
the WMI filter tool provided only allows you to select what objects you
want to include and the filter was not meant to perform "exclude"

My situation:  I want to make sure a GPO doesn't get applied to a user
(a dept manager) in Group Policy. I could make his own OU but for the
purposes of me learning WMI filtering lets not consider that an
option.(plus it is a poor and silly idea to create a ou for a single
user object/person)

I am able to filter the GPO in question by using a WMI filter that
states - "apply this GPO if this computername does not equal the
manager's computer name" by using the following WMI syntax filter:

"SELECT * FROM Win32_ComputerSystem WHERE Name <> 'theMgr'sPCname'


* note- according to the documentation I read the " <> " represents "not
equal to" in WQL/WMI scripting.

However, this Dept Mananger is likely to log onto more than one PC, so I
wanted to make the WMI filter state "apply this GPO if this users logon
name does not equal this Dept Mgr's domain logon name" but the following
did not seem to work after a gpupdate /force, reboot:

SELECT * FROM Win32_UserAccount WHERE Name <> 'The Mgr'sLogonName'

(where 'The Mgr'sLogonName' was tried as <FirstInitialLastName> and
<FirstInitialLastName.ourdomain.com> and
FirstInitialLastName@xxxxxxxxxxxxx )

Help.....what am I doing wrong? 


For those who are not aware of it this is a great tool:
WMI Code Creator v1.0



Mark Mills, Sr. Network Engineer


Other related posts: