locked
WMI Filter Exclude OU RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I have a request that i am not sure how to address, and looking for some help/pointers<o:p></o:p>

    I have a user policy that is applied to most users. A new request is to exclude a small
    group of computers from that policy.<o:p></o:p>

    I thought if i add a wmi filter to existing GPO to exclude an OU and move that small
    group of computers to new OU?<o:p></o:p>

    Any thought on that? And is there a way to exclude and OU with WMI filter?<o:p></o:p>

    Thank you.<o:p></o:p>


    Thursday, August 6, 2015 1:37 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    I am back at it. I understand that i have to use loopback. Where do i set a loopback processing?



    Loopback processing (which controls Group Policy processing), is set within a Group Policy. It's always seemd odd to me that GP is controlled by GP, but, meh.

    When you enable Loopback Processing, you can do this in *ANY* GPO, and it will cause *ALL GPOs* scoped to that computer to *ALWAYS* perform Loopback Processing.

    It doesn't matter which GPO you use to enable Loopback Processing - once any linked/scoped GPO enables Loopback Processing, *ALL* GPOs linked/scoped to that machine will be processed using Loopback.

    It's also important that you understand the difference between Loopback-Merge vs. Loopback-Replace, and, that enabling Loopback processing causes Group Policy to take much longer to process (because it processes twice)

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    • Proposed as answer by Mary Dong Wednesday, August 12, 2015 1:41 AM
    • Marked as answer by Mary Dong Thursday, August 13, 2015 5:03 AM
    Monday, August 10, 2015 9:34 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    why not just apply to the OU's you want to target?
    Thursday, August 6, 2015 2:14 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    The current GPO is applied top level OU. I need to exclude a small group of computers under that.

    So i am thinking to exclude that OU.

    What would i apply to OU?

    Thanks.

    Thursday, August 6, 2015 2:23 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    > I have a user policy that is applied to most users. A new request is to
    > exclude a small group of computers from that policy.<o:p></o:p>
     
    So you have USER settings that you do not want to apply on some COMPUTERS?
     
    Some suggested reading on that :)
     
     
     
    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, August 6, 2015 4:41 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Well......thank you.....but.......those are things not to do!<o:p></o:p>

    I am working on existing environment i inherited from and need to make it work.<o:p></o:p>

    Any ideas?<o:p></o:p>


    Thursday, August 6, 2015 7:44 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    i need to read things properly :0
    Thursday, August 6, 2015 8:16 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    SOrry about that.....So as far as i see the only way to do it is to use loopback?
    Thursday, August 6, 2015 8:37 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Well......thank you.....but.......those are things not to do!


    Um, no, you misunderstand Martin's intent, I think. His blogs explain exactly how you can achieve your stated goal - read his blogs again and you will see how to do this.. :)

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    • Edited by DonPick Thursday, August 6, 2015 9:35 PM
    Thursday, August 6, 2015 9:34 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    > SOrry about that.....So as far as i see the only way to do it is to use
    > loopback?
     
    No. You can use Group Policy Preferences in the user part, then do Item
    Level Targeting for Computer group membership. Of course this requires
    that you know the registry values that your settings use. That's what
    I've shown in the screen saver post :)
     
    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Friday, August 7, 2015 10:02 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I am still trying to get this going. Reading your blog, but having hard time understaning how to implement it.

    So far i have tried setiing a filter:

    Select * From RSOP_Session Where NOT SOM = 'OU=ConfTEST-R1,OU=Machines,OU=GR,DC=corp,DC=aol,DC=com'

    When i apply that filter the gpo is not applied regardless which OU the machine is in. As soon as i delete the filter the GPO is back. Not sure where the error is?

    Will try to figure your way over the weekend.

    Friday, August 7, 2015 8:59 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I am back at it. I understand that i have to use loopback. Where do i set a loopback processing?

    I need to edit the machine policy? Again i need to exclude a group of computers from a user GPO. Which policy do i need to edit?

    Thanks



    • Edited by Ogeccut Monday, August 10, 2015 9:03 PM
    Monday, August 10, 2015 8:56 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I am back at it. I understand that i have to use loopback. Where do i set a loopback processing?



    Loopback processing (which controls Group Policy processing), is set within a Group Policy. It's always seemd odd to me that GP is controlled by GP, but, meh.

    When you enable Loopback Processing, you can do this in *ANY* GPO, and it will cause *ALL GPOs* scoped to that computer to *ALWAYS* perform Loopback Processing.

    It doesn't matter which GPO you use to enable Loopback Processing - once any linked/scoped GPO enables Loopback Processing, *ALL* GPOs linked/scoped to that machine will be processed using Loopback.

    It's also important that you understand the difference between Loopback-Merge vs. Loopback-Replace, and, that enabling Loopback processing causes Group Policy to take much longer to process (because it processes twice)

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    • Proposed as answer by Mary Dong Wednesday, August 12, 2015 1:41 AM
    • Marked as answer by Mary Dong Thursday, August 13, 2015 5:03 AM
    Monday, August 10, 2015 9:34 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    > I am trying to look in Administrative Templates, click System, click
    > Group Policy, and then enable the Loopback Policy, but do not see
    > Loopback Policy.
     
    User configuration? Loopback is only available in the computer
    configuration.
     
    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Tuesday, August 11, 2015 10:54 AM