WMI filter to block policy based upon server name

stvbrx
stvbrx used Ask the Experts™
on
How do I use a WMI filter to block a policy from being applied to a particular server based upon server name?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2005

Commented:
It's a lot easier to create a Security Group, add the server to it then add the Security Group to the ACL of the GPO with a Deny - Apply Group Policy entry.

yup this is rite , i have done this same setup in one of my clients. and it works like charm

Cheers:)
Kamal

Author

Commented:
Yes, I know I can do it with a sec. group, but I was trying to use the wmi filter.  
(I'm trying to learn how to us this feature.)

Is it possible at all?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2005
Commented:
Yes, however you can only attach one WMI filter to a GPO and only XP and newer OSes actually can use it.  Windows 2000 does not understand WMI filters and will ignore them.


You'll need to make a true or false WMI query (I'm guessing you need a false query) this way if the query is false the GPO applies.

This example would only apply the GPO to XP Professional:

Root\CimV2; Select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP Professional"


This may work:

Root\CimV2; Select * from Win32_ComputerSystem where name = "servername"
 

 

Author

Commented:
thanks Netman66!

Author

Commented:
I applied the policy as described with the server having deny permissions in the properties, but when I rdp to the server, it still shows up before the windows login screen!  
The legal banner statements do not exist in the registry of the server.
Why is this happening?
Top Expert 2005

Commented:
Explain to me, in detail where the GPO is, whether computer or user configurations are being set and how you setup the security on the policy.

The legal caption is a computer setting - are you sure you're setting ACE's on the correct policy?

Author

Commented:
GPO is applied at the top level of the domain.  (just below Default policy).
Settings are computer based.
Security settings:
Auth Users Read/apply
Security group I created: Deny Read/Deny Apply
And all other default sec. settings

What does ACE stand for?
Top Expert 2005

Commented:
ACE=Access Control Entry.

Okay, this setting is registry-based.  You'll have to create a new policy with only the new security group on it then leave everything blank - it should reverse the setting from the other policy.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial