[gptalk] Re: GPO WMI Script filters - can it exclude users?

  • From: "Mills, Mark" <Mark.Mills@xxxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 17 Aug 2006 09:46:10 -0500

Thanks for the replies guys:


Darren - thank you for your response it looks to be exactly what I need.
Being that I'm new to WMI scripting (and even new to VB) I'm still
learning all the classes and what they can do. Can you point me in a
direction that shows me how to perform the same query but instead of
using a user logon name, how would I filter using a local group, global
group, or OU.   What's the best way for me to learn what classes contain
the attributes I want to use to accomplish a given query/filter?


Looks like the WMI Code Creator
<http://www.microsoft.com/downloads/...&displaylang=en>  and your WMI
Validator Utility <http://www.gpoguy.com/WMIFTest.htm>  make like a very
useful combination of tools - thanks for your addition!




Jamie - 

Let me first say I left the book by Jeremy Moskowitz at home - awesome
GP Book!  Right now I can't seem to find the attribute to set a specific
Group Policy to "Deny" for a single user.


Answer to your questions - 

1) The policy that I'm trying to block is having the screensaver come up
after 1 hr of inactivity.

2) This is a "User Configuration" based group policy which has been
applied to an OU that has user object for the dept manager user object,
This OU does not contain computer objects.


I could be totally wrong on the following so please don't take my
reference and comments below as offensive - these are only my
observations and I welcome any additional info you can help with here...
Your quote:


"you should just be able to use security filtering and deny the "Apply
Group Policy" permission for the specific user/computer"  

From what I can see the Security filter only applies GPO's to objects,
it does not have a deny feature. The subcaption under the Security
filter states "The settings in this GPO can only apply to the following
groups, users, and computers"


Jamie I can't seem to find the attribute to set the a specific Group
Policy to Deny for a user or group based on your answer.  I see the MS
e2-927c-9989b4f55dd71033.mspx?mfr=true>  website says the following:
(note- I substituted the groups with <user?> to put this in context with
what I'm trying to do) :  


By default, users are included in authenticated users, which means that
they have the Apply Group Policy attribute set. If this is not desired,
administrators have two choices:


* Remove Authenticated Users from the list on the security tab of the
GPO, and add a new security group with the Apply Group Policy and Read
attributes set to Allow. This new group should contain all the users
that this Group Policy is intended to affect.  <not what I am looking


* Set the Apply Group Policy attribute to Deny for ...<the user ?>. This
will prevent the GPO from being applied to <the user?>. Remember that an
ACE set to Deny always takes precedence over Allow. Therefore, if a
given user is a member of another group <example: authenticated users>
that is set to explicitly Allow the Apply Group Policy attribute for
this GPO, it will still be denied.


Option 2 looks like what I want to do, but the second sentence states
that by putting a user in a security group with the GP attribute to
"deny" then all GP's across the entire domain will no longer be applied
to him\her.  (right?) 


To accomplish Option2 I'm understanding that they are telling me to do
the following:

1.      Create a security Group
2.      Un-inherit any permissions
3.      Go to the Security tab and add the user you want to block the
GPO on
4.      click on the Advanced button, go to the permissions tab
5.      select the user created in step 3, click edit
6.      where it says "From: Apply to:" change the default setting to
7.       scroll to bottom of the permissions to "Apply group Policy" and
check the deny box.
8.      Note- we did nothing on the members tab, so the user is not a
member of the group - or was I supposed to add him here, if I add him
here then no Policies would be applied to him across the domain, right?

Is my understanding correct?  


Have a made a mountain out of this, is there a simple way to set "deny"
on a single user for a single GPO? 



Mark Mills, Sr. Network Engineer

Desktop Assistance, LP

14405 Walters Road, Suite 650

Houston, Texas 77346


Office Phone:  281-444-2300 x113

Email: mark.mills@xxxxxxxxxxxxxxxxxxxxxx 


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Nelson Jamie R Contr OC-ALC/ITMA
Sent: Tuesday, August 15, 2006 6:09 PM
To: 'gptalk@xxxxxxxxxxxxx'
Subject: [gptalk] Re: GPO WMI Script filters - can it exclude users? 




If you need to limit the scope of a GPO for just a few users/computers
and don't want to create a new OU, you should just be able to use
security filtering and deny the "Apply Group Policy" permission for the
specific user/computer. However, that depends on what you're attempting
to do with your GPO.


What types of settings do you want to prevent from getting applied?
Computer, user, or both? Knowing that would help in finding the most
effective solution to your problem.



Jamie R Nelson

Systems Engineer / Analyst

Ingenium Corporation


405.739.2811 (DSN 339)


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Tuesday, August 15, 2006 5:27 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO WMI Script filters - can it exclude users? 



I think the Win32_UserAccount class enumerates user accounts defined on
the system where the query runs. So, instead of getting the currently
logged on user with that query, you are really asking it if there is a
user with the manager's user name defined on that workstation's local
SAM where the query runs. I think what you need instead is:


Select * FROM Win32_ComputerSystem WHERE UserName <>


So its looking for the NetBIOS form of the user name.



Also, this is a good opportunity for me to plug my newest free tool--the
WMI Filter Validator--which lets you validate a WMI Filter against a
machine without having to wait for a GP refresh to see if it will
evaluate to true.





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Mills, Mark
Sent: Tuesday, August 15, 2006 2:37 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] GPO WMI Script filters - can it exclude users? 

I may be going about this the wrong way.  I'm getting the feeling that
the WMI filter tool provided only allows you to select what objects you
want to include and the filter was not meant to perform "exclude"

My situation:  I want to make sure a GPO doesn't get applied to a user
(a dept manager) in Group Policy. I could make his own OU but for the
purposes of me learning WMI filtering lets not consider that an
option.(plus it is a poor and silly idea to create a ou for a single
user object/person)

I am able to filter the GPO in question by using a WMI filter that
states - "apply this GPO if this computername does not equal the
manager's computer name" by using the following WMI syntax filter:

"SELECT * FROM Win32_ComputerSystem WHERE Name <> 'theMgr'sPCname'


* note- according to the documentation I read the " <> " represents "not
equal to" in WQL/WMI scripting.

However, this Dept Mananger is likely to log onto more than one PC, so I
wanted to make the WMI filter state "apply this GPO if this users logon
name does not equal this Dept Mgr's domain logon name" but the following
did not seem to work after a gpupdate /force, reboot:

SELECT * FROM Win32_UserAccount WHERE Name <> 'The Mgr'sLogonName'

(where 'The Mgr'sLogonName' was tried as <FirstInitialLastName> and
<FirstInitialLastName.ourdomain.com> and
FirstInitialLastName@xxxxxxxxxxxxx )

Help.....what am I doing wrong? 


For those who are not aware of it this is a great tool:
WMI Code Creator v1.0



Mark Mills, Sr. Network Engineer


Other related posts: