WMI Filtering by User

I have a single policy to the user which will enable the screen saver and password protect it. If this GPO is linked to an OU with the user charlesj, will the following WMI filter prevent the GP from applying to it?

SELECT * FROM Win32_UserAccount WHERE Name <> 'charlesj'
LVL 12
jjmartineziiiAsked:
Who is Participating?
 
tigermattConnect With a Mentor Commented:
The problem you have with WMI filters is you can only apply a maximum of one WMI filter per policy. It is for this reason you wouldn't use them for carrying out operations such as performing user filtering for a policy or anything else - not only does it clutter up Active Directory with WMI filters, it is overcomplicating matters for both you and the system.

WMI filters are generally used to only apply a policy to a set of computers - perhaps only Windows Vista PCs. That is what they are best for.

With that said, you can either move all the users the policy should apply to into their own OU, then link this policy there, or alternatively, use security filtering as KCTS has already suggested. I would always try to use the OU method unless you have to use security filtering.

-tigermatt
0
 
KCTSCommented:
0
 
jjmartineziiiAuthor Commented:
That's what I'm trying to avoid. Isn't that what WMI is for or is it just for computers? I'd like to reduce the number of security groups I use.
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
KCTSConnect With a Mentor Commented:
You can filter by the USER rather than group if you must. Yes WMI is mainly for computers - I'm not saying it can't be used with the user object, but I've not seen it myself (now there's an invitation to someone)
0
 
aces4all2008Commented:
KCTS and Tigermatt - Please correct me if I'm wrong but isn't Win32_UserAccount used to query a computer's SAM repository?  Wouldn't that query just return computers that have local accounts with the name 'charlesj'?  I haven't worked used wmi filtering with AD much but I've dome quite a bit of scripting and I know if I used that query in a script it wouldn't return and AD object.  I'm pretty sure that if filtering must be used the only viable solution short of writing the LDAP filter by hand is to use security filtering like you both advised.
0
 
tigermattCommented:
I've no idea, because I hardly ever use WMI filters, for the reasons I posted in http:#a21807157. It's bulky and really not necessary for the task at hand.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.