Thanks for the replies guys: Darren - thank you for your response it looks to be exactly what I need. Being that I'm new to WMI scripting (and even new to VB) I'm still learning all the classes and what they can do. Can you point me in a direction that shows me how to perform the same query but instead of using a user logon name, how would I filter using a local group, global group, or OU. What's the best way for me to learn what classes contain the attributes I want to use to accomplish a given query/filter? Looks like the WMI Code Creator <http://www.microsoft.com/downloads/...&displaylang=en> and your WMI Validator Utility <http://www.gpoguy.com/WMIFTest.htm> make like a very useful combination of tools - thanks for your addition! Jamie - Let me first say I left the book by Jeremy Moskowitz at home - awesome GP Book! Right now I can't seem to find the attribute to set a specific Group Policy to "Deny" for a single user. Answer to your questions - 1) The policy that I'm trying to block is having the screensaver come up after 1 hr of inactivity. 2) This is a "User Configuration" based group policy which has been applied to an OU that has user object for the dept manager user object, This OU does not contain computer objects. I could be totally wrong on the following so please don't take my reference and comments below as offensive - these are only my observations and I welcome any additional info you can help with here... Your quote: "you should just be able to use security filtering and deny the "Apply Group Policy" permission for the specific user/computer" From what I can see the Security filter only applies GPO's to objects, it does not have a deny feature. The subcaption under the Security filter states "The settings in this GPO can only apply to the following groups, users, and computers" Jamie I can't seem to find the attribute to set the a specific Group Policy to Deny for a user or group based on your answer. I see the MS Technet <http://technet2.microsoft.com/WindowsServer/en/library/a834e844-8eb2-4e e2-927c-9989b4f55dd71033.mspx?mfr=true> website says the following: (note- I substituted the groups with <user?> to put this in context with what I'm trying to do) : By default, users are included in authenticated users, which means that they have the Apply Group Policy attribute set. If this is not desired, administrators have two choices: * Remove Authenticated Users from the list on the security tab of the GPO, and add a new security group with the Apply Group Policy and Read attributes set to Allow. This new group should contain all the users that this Group Policy is intended to affect. <not what I am looking for> * Set the Apply Group Policy attribute to Deny for ...<the user ?>. This will prevent the GPO from being applied to <the user?>. Remember that an ACE set to Deny always takes precedence over Allow. Therefore, if a given user is a member of another group <example: authenticated users> that is set to explicitly Allow the Apply Group Policy attribute for this GPO, it will still be denied. Option 2 looks like what I want to do, but the second sentence states that by putting a user in a security group with the GP attribute to "deny" then all GP's across the entire domain will no longer be applied to him\her. (right?) To accomplish Option2 I'm understanding that they are telling me to do the following: 1. Create a security Group 2. Un-inherit any permissions 3. Go to the Security tab and add the user you want to block the GPO on 4. click on the Advanced button, go to the permissions tab 5. select the user created in step 3, click edit 6. where it says "From: Apply to:" change the default setting to "groupPolicyContainerObject" 7. scroll to bottom of the permissions to "Apply group Policy" and check the deny box. 8. Note- we did nothing on the members tab, so the user is not a member of the group - or was I supposed to add him here, if I add him here then no Policies would be applied to him across the domain, right? Is my understanding correct? Have a made a mountain out of this, is there a simple way to set "deny" on a single user for a single GPO? Mark Mills, Sr. Network Engineer Desktop Assistance, LP 14405 Walters Road, Suite 650 Houston, Texas 77346 Office Phone: 281-444-2300 x113 Email: mark.mills@xxxxxxxxxxxxxxxxxxxxxx ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson Jamie R Contr OC-ALC/ITMA Sent: Tuesday, August 15, 2006 6:09 PM To: 'gptalk@xxxxxxxxxxxxx' Subject: [gptalk] Re: GPO WMI Script filters - can it exclude users? Mark, If you need to limit the scope of a GPO for just a few users/computers and don't want to create a new OU, you should just be able to use security filtering and deny the "Apply Group Policy" permission for the specific user/computer. However, that depends on what you're attempting to do with your GPO. What types of settings do you want to prevent from getting applied? Computer, user, or both? Knowing that would help in finding the most effective solution to your problem. //signed// Jamie R Nelson Systems Engineer / Analyst Ingenium Corporation OC-ALC/ITMA 405.739.2811 (DSN 339) ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Tuesday, August 15, 2006 5:27 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: GPO WMI Script filters - can it exclude users? Mark- I think the Win32_UserAccount class enumerates user accounts defined on the system where the query runs. So, instead of getting the currently logged on user with that query, you are really asking it if there is a user with the manager's user name defined on that workstation's local SAM where the query runs. I think what you need instead is: Select * FROM Win32_ComputerSystem WHERE UserName <> "domainName\UserName" So its looking for the NetBIOS form of the user name. Also, this is a good opportunity for me to plug my newest free tool--the WMI Filter Validator--which lets you validate a WMI Filter against a machine without having to wait for a GP refresh to see if it will evaluate to true. Darren ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Mills, Mark Sent: Tuesday, August 15, 2006 2:37 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] GPO WMI Script filters - can it exclude users? I may be going about this the wrong way. I'm getting the feeling that the WMI filter tool provided only allows you to select what objects you want to include and the filter was not meant to perform "exclude" actions? My situation: I want to make sure a GPO doesn't get applied to a user (a dept manager) in Group Policy. I could make his own OU but for the purposes of me learning WMI filtering lets not consider that an option.(plus it is a poor and silly idea to create a ou for a single user object/person) I am able to filter the GPO in question by using a WMI filter that states - "apply this GPO if this computername does not equal the manager's computer name" by using the following WMI syntax filter: "SELECT * FROM Win32_ComputerSystem WHERE Name <> 'theMgr'sPCname' * note- according to the documentation I read the " <> " represents "not equal to" in WQL/WMI scripting. However, this Dept Mananger is likely to log onto more than one PC, so I wanted to make the WMI filter state "apply this GPO if this users logon name does not equal this Dept Mgr's domain logon name" but the following did not seem to work after a gpupdate /force, reboot: SELECT * FROM Win32_UserAccount WHERE Name <> 'The Mgr'sLogonName' (where 'The Mgr'sLogonName' was tried as <FirstInitialLastName> and <FirstInitialLastName.ourdomain.com> and FirstInitialLastName@xxxxxxxxxxxxx ) Help.....what am I doing wrong? For those who are not aware of it this is a great tool: WMI Code Creator v1.0 http://www.microsoft.com/downloads/...&displaylang=en <http://www.microsoft.com/downloads/details.aspx?familyid=2CC30A64-EA15- 4661-8DA4-55BBC145C30E&displaylang=en> Mark Mills, Sr. Network Engineer