none
Need WMI filter that applies GPO only if computer in specific OU

    Question

  • Looking for WMI filter (along with Namespace) to add to GPO that will apply only to computers that are in an OU that contains a specific string (e.g. Conference). The purpose is to have a GPO that changes the screensaver timeout (which is a user policy that is currently defined in the default domain GPO) when anyone logs on to computers that are in the conference rooms OU.

    Friday, September 18, 2009 8:20 PM

Answers

  • Instead of using WMI-filter, you nead to enable loopback processing.
    Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode

    When loopback processing is enabled, it's possibly to link GPO containing user configuration settings to the OU containing computer objects.
    Saturday, September 19, 2009 7:30 PM

All replies

  • Instead of using WMI-filter, you nead to enable loopback processing.
    Computer Configuration\Administrative Templates\System\Group Policy\User Group Policy loopback processing mode

    When loopback processing is enabled, it's possibly to link GPO containing user configuration settings to the OU containing computer objects.
    Saturday, September 19, 2009 7:30 PM
  • But is it possible to create such filter? E.g. I create complicated query, but is it possible to use as  WMI filter?

    Set WshShell = CreateObject("WScript.Shell")

    Set objEnv = WshShell.Environment("Process")
    strComputer = objEnv("COMPUTERNAME")
    Wscript.Echo strComputer
    Set objWMIService = GetObject("winmgmts:\\.\root\directory\LDAP") 
    Set colItems = objWMIService.ExecQuery( _
       "SELECT * FROM ads_computer where DS_displayName like '%" & strComputer & "%' and DS_distinguishedName like '%terminal servers%'",,48) 
    For Each objItem in colItems 
        Wscript.Echo "-----------------------------------"
        Wscript.Echo "ads_computer instance"
        Wscript.Echo "-----------------------------------"
        Wscript.Echo "DS_displayName: " & objItem.DS_displayName
        Wscript.Echo "DS_distinguishedName: " & objItem.DS_distinguishedName
        Wscript.Echo "DS_dNSHostName: " & objItem.DS_dNSHostName
    Next

    • Proposed as answer by a2af Wednesday, February 15, 2012 10:47 AM
    • Unproposed as answer by a2af Wednesday, February 15, 2012 10:47 AM
    Wednesday, February 15, 2012 10:47 AM
  • Sorry for that - no, you can not.
     
    You cannot use environment variables in WMI filters as there is nothing
    that would resolve them, and you cannot access the computer name from
    within the query. WMI filters are not dynamic in the query string.
     
    But as far as I can see in your query, you are looking wether the
    current computer account belongs to an OU named like "terminal servers"?
    So why not linking your policy in question directly to that OU? Result
    should be the same (-:
     
    sincerely, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Wednesday, February 15, 2012 11:30 AM