?
Solved

Group Policy WMI Filter for User Field Value

Posted on 2011-02-14
4
Medium Priority
?
1,186 Views
Last Modified: 2012-05-11
I need to filter a Group Policy that denies local logon to a specific group of users because there are certain users that must be in that group which I do not want the policy to be enforced upon.  The one variable that differentiates between the users is the "Company" field under the "Organization" tab in the A.D. profiles.  The ones that I want the policy to be enforced upon MUST have "Student" in that field.  Anything else results in the policy being ignored.  I know how to pull that field through a full-blown script, but WMI Filters can't be a full script.  They have to be a direct output of a WMI Class's values.  Please help.  Thank you in advance.
0
Comment
Question by:Infinetwork
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 3

Expert Comment

by:laughelemental
ID: 34889714
Hello

You do not need any WMI filterto do that. It's achieved via Group Policy security settings/ Make desired permissions to apply that GP only to specific user (or computer) group
see http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html
0
 

Author Comment

by:Infinetwork
ID: 34889810
There are too many users to add them individually, since you can't add the ones NOT to apply the policy to (you can only list who you DO want it applied to). And, as I said, there are users in the group that I don't want the policy applied to (so, I can't apply it to the group). Also, just so you know, this is an auto-generated group, so making a new group through the system that created this group would not be an option as I would run into the same problem at some point all over again. One more thing: manually moving around users/groups is not an option as the groups would be in constant change and it would be too much overhead. That's why it needs to be a WMI filter - so that it only let's the policy work when certain criteria is met.
0
 
LVL 3

Accepted Solution

by:
laughelemental earned 1500 total points
ID: 34889988
since you can't add the ones NOT to apply the policy to (you can only list who you DO want it applied to)

you CAN do that by setting DENY flag in security.
0
 

Author Closing Comment

by:Infinetwork
ID: 34890120
Thanks.  Sometimes I forget the obvious and basic answers.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question