[gptalk] Re: GPO WMI Script filters - can it exclude users?

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 17 Aug 2006 08:51:10 -0700

There is a relatively simple way to set a deny on a user or computer. If
you're using GPMC, you have to go into the Advanced section on the security
filtering tab for a particular GPO and then you get the familiar ACL Editor,
where you can go in and set a Deny on the Read and Apply Group Policy
permissions. That will block that particular GPO for that particular user
(or member of a group).  Remember that Deny ACEs always override allows, so
you don't need to remove Authenticated users before setting the Deny. I
covered this in one of my training videos if you want to see it in action.
If you go to www.gpoguy.com/training.htm, check out video 100.3


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Mills, Mark
Sent: Thursday, August 17, 2006 7:46 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO WMI Script filters - can it exclude users? 

Thanks for the replies guys:


Darren - thank you for your response it looks to be exactly what I need.
Being that I'm new to WMI scripting (and even new to VB) I'm still learning
all the classes and what they can do. Can you point me in a direction that
shows me how to perform the same query but instead of using a user logon
name, how would I filter using a local group, global group, or OU.   What's
the best way for me to learn what classes contain the attributes I want to
use to accomplish a given query/filter?


Looks like the WMI Code
<http://www.microsoft.com/downloads/...&displaylang=en> Creator and your WMI
Validator  <http://www.gpoguy.com/WMIFTest.htm> Utility make like a very
useful combination of tools - thanks for your addition!




Jamie - 

Let me first say I left the book by Jeremy Moskowitz at home - awesome GP
Book!  Right now I can't seem to find the attribute to set a specific Group
Policy to "Deny" for a single user.


Answer to your questions - 

1) The policy that I'm trying to block is having the screensaver come up
after 1 hr of inactivity.

2) This is a "User Configuration" based group policy which has been applied
to an OU that has user object for the dept manager user object, This OU does
not contain computer objects.


I could be totally wrong on the following so please don't take my reference
and comments below as offensive - these are only my observations and I
welcome any additional info you can help with here.  Your quote:


"you should just be able to use security filtering and deny the "Apply Group
Policy" permission for the specific user/computer"  

From what I can see the Security filter only applies GPO's to objects, it
does not have a deny feature. The subcaption under the Security filter
states "The settings in this GPO can only apply to the following groups,
users, and computers"


Jamie I can't seem to find the attribute to set the a specific Group Policy
to Deny for a user or group based on your answer.  I see the MS
27c-9989b4f55dd71033.mspx?mfr=true> Technet website says the following:
(note- I substituted the groups with <user?> to put this in context with
what I'm trying to do) :  


By default, users are included in authenticated users, which means that they
have the Apply Group Policy attribute set. If this is not desired,
administrators have two choices:


. Remove Authenticated Users from the list on the security tab of the GPO,
and add a new security group with the Apply Group Policy and Read attributes
set to Allow. This new group should contain all the users that this Group
Policy is intended to affect.  <not what I am looking for>


. Set the Apply Group Policy attribute to Deny for ...<the user ?>. This
will prevent the GPO from being applied to <the user?>. Remember that an ACE
set to Deny always takes precedence over Allow. Therefore, if a given user
is a member of another group <example: authenticated users>  that is set to
explicitly Allow the Apply Group Policy attribute for this GPO, it will
still be denied.


Option 2 looks like what I want to do, but the second sentence states that
by putting a user in a security group with the GP attribute to "deny" then
all GP's across the entire domain will no longer be applied to him\her.


To accomplish Option2 I'm understanding that they are telling me to do the

1.      Create a security Group 

2.      Un-inherit any permissions 

3.      Go to the Security tab and add the user you want to block the GPO on

4.      click on the Advanced button, go to the permissions tab 

5.      select the user created in step 3, click edit 

6.      where it says "From: Apply to:" change the default setting to

7.       scroll to bottom of the permissions to "Apply group Policy" and
check the deny box. 

8.      Note- we did nothing on the members tab, so the user is not a member
of the group - or was I supposed to add him here, if I add him here then no
Policies would be applied to him across the domain, right? 

Is my understanding correct?  


Have a made a mountain out of this, is there a simple way to set "deny" on a
single user for a single GPO? 



Mark Mills, Sr. Network Engineer

Desktop Assistance, LP

14405 Walters Road, Suite 650

Houston, Texas 77346


Office Phone:  281-444-2300 x113

Email: mark.mills@xxxxxxxxxxxxxxxxxxxxxx 


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson Jamie R Contr OC-ALC/ITMA
Sent: Tuesday, August 15, 2006 6:09 PM
To: 'gptalk@xxxxxxxxxxxxx'
Subject: [gptalk] Re: GPO WMI Script filters - can it exclude users? 




If you need to limit the scope of a GPO for just a few users/computers and
don't want to create a new OU, you should just be able to use security
filtering and deny the "Apply Group Policy" permission for the specific
user/computer. However, that depends on what you're attempting to do with
your GPO.


What types of settings do you want to prevent from getting applied?
Computer, user, or both? Knowing that would help in finding the most
effective solution to your problem.



Jamie R Nelson

Systems Engineer / Analyst

Ingenium Corporation


405.739.2811 (DSN 339)


From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Tuesday, August 15, 2006 5:27 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPO WMI Script filters - can it exclude users? 



I think the Win32_UserAccount class enumerates user accounts defined on the
system where the query runs. So, instead of getting the currently logged on
user with that query, you are really asking it if there is a user with the
manager's user name defined on that workstation's local SAM where the query
runs. I think what you need instead is:


Select * FROM Win32_ComputerSystem WHERE UserName <> "domainName\UserName"


So its looking for the NetBIOS form of the user name.



Also, this is a good opportunity for me to plug my newest free tool--the WMI
Filter Validator--which lets you validate a WMI Filter against a machine
without having to wait for a GP refresh to see if it will evaluate to true.





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Mills, Mark
Sent: Tuesday, August 15, 2006 2:37 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] GPO WMI Script filters - can it exclude users? 

I may be going about this the wrong way.  I'm getting the feeling that the
WMI filter tool provided only allows you to select what objects you want to
include and the filter was not meant to perform "exclude" actions? 

My situation:  I want to make sure a GPO doesn't get applied to a user (a
dept manager) in Group Policy. I could make his own OU but for the purposes
of me learning WMI filtering lets not consider that an option.(plus it is a
poor and silly idea to create a ou for a single user object/person)

I am able to filter the GPO in question by using a WMI filter that states -
"apply this GPO if this computername does not equal the manager's computer
name" by using the following WMI syntax filter:

"SELECT * FROM Win32_ComputerSystem WHERE Name <> 'theMgr'sPCname'


* note- according to the documentation I read the " <> " represents "not
equal to" in WQL/WMI scripting.

However, this Dept Mananger is likely to log onto more than one PC, so I
wanted to make the WMI filter state "apply this GPO if this users logon name
does not equal this Dept Mgr's domain logon name" but the following did not
seem to work after a gpupdate /force, reboot:

SELECT * FROM Win32_UserAccount WHERE Name <> 'The Mgr'sLogonName'

(where 'The Mgr'sLogonName' was tried as <FirstInitialLastName> and
<FirstInitialLastName.ourdomain.com> and FirstInitialLastName@xxxxxxxxxxxxx

Help.....what am I doing wrong? 


For those who are not aware of it this is a great tool:
WMI Code Creator v1.0



Mark Mills, Sr. Network Engineer


Other related posts: