none
WMI Filter Exclude OU

    Question

  • I have a request that i am not sure how to address, and looking for some help/pointers<o:p></o:p>

    I have a user policy that is applied to most users. A new request is to exclude a small
    group of computers from that policy.<o:p></o:p>

    I thought if i add a wmi filter to existing GPO to exclude an OU and move that small
    group of computers to new OU?<o:p></o:p>

    Any thought on that? And is there a way to exclude and OU with WMI filter?<o:p></o:p>

    Thank you.<o:p></o:p>


    Thursday, August 06, 2015 1:37 PM

Answers

  • I am back at it. I understand that i have to use loopback. Where do i set a loopback processing?



    Loopback processing (which controls Group Policy processing), is set within a Group Policy. It's always seemd odd to me that GP is controlled by GP, but, meh.

    When you enable Loopback Processing, you can do this in *ANY* GPO, and it will cause *ALL GPOs* scoped to that computer to *ALWAYS* perform Loopback Processing.

    It doesn't matter which GPO you use to enable Loopback Processing - once any linked/scoped GPO enables Loopback Processing, *ALL* GPOs linked/scoped to that machine will be processed using Loopback.

    It's also important that you understand the difference between Loopback-Merge vs. Loopback-Replace, and, that enabling Loopback processing causes Group Policy to take much longer to process (because it processes twice)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Monday, August 10, 2015 9:34 PM

All replies

  • why not just apply to the OU's you want to target?
    Thursday, August 06, 2015 2:14 PM
  • The current GPO is applied top level OU. I need to exclude a small group of computers under that.

    So i am thinking to exclude that OU.

    What would i apply to OU?

    Thanks.

    Thursday, August 06, 2015 2:23 PM
  • > I have a user policy that is applied to most users. A new request is to
    > exclude a small group of computers from that policy.<o:p></o:p>
     
    So you have USER settings that you do not want to apply on some COMPUTERS?
     
    Some suggested reading on that :)
     
     
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, August 06, 2015 4:41 PM
  • Well......thank you.....but.......those are things not to do!<o:p></o:p>

    I am working on existing environment i inherited from and need to make it work.<o:p></o:p>

    Any ideas?<o:p></o:p>


    Thursday, August 06, 2015 7:44 PM
  • i need to read things properly :0
    Thursday, August 06, 2015 8:16 PM
  • SOrry about that.....So as far as i see the only way to do it is to use loopback?
    Thursday, August 06, 2015 8:37 PM
  • Well......thank you.....but.......those are things not to do!


    Um, no, you misunderstand Martin's intent, I think. His blogs explain exactly how you can achieve your stated goal - read his blogs again and you will see how to do this.. :)

    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)


    • Edited by DonPick Thursday, August 06, 2015 9:35 PM
    Thursday, August 06, 2015 9:34 PM
  • > SOrry about that.....So as far as i see the only way to do it is to use
    > loopback?
     
    No. You can use Group Policy Preferences in the user part, then do Item
    Level Targeting for Computer group membership. Of course this requires
    that you know the registry values that your settings use. That's what
    I've shown in the screen saver post :)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Friday, August 07, 2015 10:02 AM
  • I am still trying to get this going. Reading your blog, but having hard time understaning how to implement it.

    So far i have tried setiing a filter:

    Select * From RSOP_Session Where NOT SOM = 'OU=ConfTEST-R1,OU=Machines,OU=GR,DC=corp,DC=aol,DC=com'

    When i apply that filter the gpo is not applied regardless which OU the machine is in. As soon as i delete the filter the GPO is back. Not sure where the error is?

    Will try to figure your way over the weekend.

    Friday, August 07, 2015 8:59 PM
  • I am back at it. I understand that i have to use loopback. Where do i set a loopback processing?

    I need to edit the machine policy? Again i need to exclude a group of computers from a user GPO. Which policy do i need to edit?

    Thanks



    • Edited by Ogeccut Monday, August 10, 2015 9:03 PM
    Monday, August 10, 2015 8:56 PM
  • I am back at it. I understand that i have to use loopback. Where do i set a loopback processing?



    Loopback processing (which controls Group Policy processing), is set within a Group Policy. It's always seemd odd to me that GP is controlled by GP, but, meh.

    When you enable Loopback Processing, you can do this in *ANY* GPO, and it will cause *ALL GPOs* scoped to that computer to *ALWAYS* perform Loopback Processing.

    It doesn't matter which GPO you use to enable Loopback Processing - once any linked/scoped GPO enables Loopback Processing, *ALL* GPOs linked/scoped to that machine will be processed using Loopback.

    It's also important that you understand the difference between Loopback-Merge vs. Loopback-Replace, and, that enabling Loopback processing causes Group Policy to take much longer to process (because it processes twice)


    Don
    (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
    This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

    Monday, August 10, 2015 9:34 PM
  • > I am trying to look in Administrative Templates, click System, click
    > Group Policy, and then enable the Loopback Policy, but do not see
    > Loopback Policy.
     
    User configuration? Loopback is only available in the computer
    configuration.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Tuesday, August 11, 2015 10:54 AM