[gptalk] Re: GPO WMI Script filters - can it exclude users?

  • From: Nelson Jamie R Contr OC-ALC/ITMA <Jamie.Nelson.ctr@xxxxxxxxxxxxx>
  • To: "'gptalk@xxxxxxxxxxxxx'" <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 15 Aug 2006 18:09:05 -0500



If you need to limit the scope of a GPO for just a few users/computers and
don't want to create a new OU, you should just be able to use security
filtering and deny the "Apply Group Policy" permission for the specific
user/computer. However, that depends on what you're attempting to do with
your GPO.


What types of settings do you want to prevent from getting applied?
Computer, user, or both? Knowing that would help in finding the most
effective solution to your problem.



Jamie R Nelson

Systems Engineer / Analyst

Ingenium Corporation


405.739.2811 (DSN 339)


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Tuesday, August 15, 2006 5:27 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO WMI Script filters - can it exclude users? 



I think the Win32_UserAccount class enumerates user accounts defined on the
system where the query runs. So, instead of getting the currently logged on
user with that query, you are really asking it if there is a user with the
manager's user name defined on that workstation's local SAM where the query
runs. I think what you need instead is:


Select * FROM Win32_ComputerSystem WHERE UserName <> "domainName\UserName"


So its looking for the NetBIOS form of the user name.



Also, this is a good opportunity for me to plug my newest free tool--the WMI
Filter Validator--which lets you validate a WMI Filter against a machine
without having to wait for a GP refresh to see if it will evaluate to true.





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Mills, Mark
Sent: Tuesday, August 15, 2006 2:37 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] GPO WMI Script filters - can it exclude users? 

I may be going about this the wrong way.  I'm getting the feeling that the
WMI filter tool provided only allows you to select what objects you want to
include and the filter was not meant to perform "exclude" actions? 

My situation:  I want to make sure a GPO doesn't get applied to a user (a
dept manager) in Group Policy. I could make his own OU but for the purposes
of me learning WMI filtering lets not consider that an option.(plus it is a
poor and silly idea to create a ou for a single user object/person)

I am able to filter the GPO in question by using a WMI filter that states -
"apply this GPO if this computername does not equal the manager's computer
name" by using the following WMI syntax filter:

"SELECT * FROM Win32_ComputerSystem WHERE Name <> 'theMgr'sPCname'


* note- according to the documentation I read the " <> " represents "not
equal to" in WQL/WMI scripting.

However, this Dept Mananger is likely to log onto more than one PC, so I
wanted to make the WMI filter state "apply this GPO if this users logon name
does not equal this Dept Mgr's domain logon name" but the following did not
seem to work after a gpupdate /force, reboot:

SELECT * FROM Win32_UserAccount WHERE Name <> 'The Mgr'sLogonName'

(where 'The Mgr'sLogonName' was tried as <FirstInitialLastName> and
<FirstInitialLastName.ourdomain.com> and FirstInitialLastName@xxxxxxxxxxxxx
<mailto:FirstInitialLastName@xxxxxxxxxxxxx>  )

Help.....what am I doing wrong? 


For those who are not aware of it this is a great tool:
WMI Code Creator v1.0



Mark Mills, Sr. Network Engineer


Other related posts: