Solved

WMI Filtering by User

Posted on 2008-06-17
6
787 Views
Last Modified: 2010-03-17
I have a single policy to the user which will enable the screen saver and password protect it. If this GPO is linked to an OU with the user charlesj, will the following WMI filter prevent the GP from applying to it?

SELECT * FROM Win32_UserAccount WHERE Name <> 'charlesj'
0
Comment
Question by:jjmartineziii
6 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 21806146
0
 
LVL 12

Author Comment

by:jjmartineziii
ID: 21806210
That's what I'm trying to avoid. Isn't that what WMI is for or is it just for computers? I'd like to reduce the number of security groups I use.
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 50 total points
ID: 21806369
You can filter by the USER rather than group if you must. Yes WMI is mainly for computers - I'm not saying it can't be used with the user object, but I've not seen it myself (now there's an invitation to someone)
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 200 total points
ID: 21807157
The problem you have with WMI filters is you can only apply a maximum of one WMI filter per policy. It is for this reason you wouldn't use them for carrying out operations such as performing user filtering for a policy or anything else - not only does it clutter up Active Directory with WMI filters, it is overcomplicating matters for both you and the system.

WMI filters are generally used to only apply a policy to a set of computers - perhaps only Windows Vista PCs. That is what they are best for.

With that said, you can either move all the users the policy should apply to into their own OU, then link this policy there, or alternatively, use security filtering as KCTS has already suggested. I would always try to use the OU method unless you have to use security filtering.

-tigermatt
0
 
LVL 6

Expert Comment

by:aces4all2008
ID: 21808815
KCTS and Tigermatt - Please correct me if I'm wrong but isn't Win32_UserAccount used to query a computer's SAM repository?  Wouldn't that query just return computers that have local accounts with the name 'charlesj'?  I haven't worked used wmi filtering with AD much but I've dome quite a bit of scripting and I know if I used that query in a script it wouldn't return and AD object.  I'm pretty sure that if filtering must be used the only viable solution short of writing the LDAP filter by hand is to use security filtering like you both advised.
0
 
LVL 58

Expert Comment

by:tigermatt
ID: 21810585
I've no idea, because I hardly ever use WMI filters, for the reasons I posted in http:#a21807157. It's bulky and really not necessary for the task at hand.
0

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now