none
Exclude user from GPO using WMI not working

    Question

  • Hi,

    We have a GPO in Group Policy Management that makes all computers/servers in the domain to lock screen after 10 minutes. We then use WMI filter to exclude some thin clients from that policy (they never get lock screen) and that works ok for us. But then we also want a specific user to be excluded from this GPO. I think is is written to apply on all computers (se code below) but actually this user is only supposed to log in with remote desktop to a specific terminal server. So best would be it the specific user only gets excluded when logged in to a specific server). But anyway, this does not work at all for now.

    The WMI filter is something like:

    select *from Win32_ComputerSystem where not (name like "thinclient1" or name like "thinclient2" or UserName = "domain\\user1")

    Thin thin clients is ok, but not the user1. Why is this? Could it be because the terminal server itself still gets the GPO 10min lock? So the user is excluded from lock screen GPO but the server still gets the GPO? Or should this work anyway?

    Thursday, January 21, 2016 9:20 AM

Answers

  • > I ran the first command on a test TS and it listed one other user that
    > was logged in (there was only one), but dit not list myself.
     
    That's what I expected - it does not give the wanted result. From the
    class definition on MSDN:
     
    Name of a user that is logged on currently. This property must have a
    value. In a terminal services session, UserName returns the name of the
    user that is logged on to the console—not the user logged on during the
    terminal service session.
     
     
    Friday, January 22, 2016 11:54 AM

All replies

  • > /select *from Win32_ComputerSystem where not (name like "thinclient1" or
    > name like "thinclient2" or UserName = "domain\\user1")/
     
    Looks ok so far - did you grab a gpresult /h from the user to see if the
    WMI filter evaluates to true or false?
     
    And if you use loopback, things might get more complicated :)
     
    Thursday, January 21, 2016 9:43 AM
  • First time I am doing this... but in Command promt from the TerminalServer I tested:

    gpresult /s thinclient1 /v (this to show my gpo for thinclient1)

    and then:

    gpresult /user user1 /v (this to show gpo for user1 on TerminalServer)

    Result on myself at thinclient1:
    COMPUTER SETTINGS
    ---------------
    The following GPOs were not applied because they were filtered out
    ---------------
    gpoLock10min
    Filtering: Denied (WMI Filter)

    USER SETTINGS
    ---------------
    The following GPOs were not applied because they were filtered out
    ---------------
    gpoLock10min
    Filtering: Denied (WMI Filter)

    Result from user1 on TerminalServer:
    COMPUTER SETTINGS
    ---------------
    The following GPOs were not applied because they were filtered out
    ---------------
    gpoLock10min
    Filtering: Not Applied (Empty)

    USER SETTINGS
    ---------------
    Applied Group Policy Objects
    ---------------
    gpoLock10min

    So there is a difference here but why? thinclient1 says "Denied" on both computer and user settings. But for user1 on TerminalServer it says "Not Applied" on computer settings but is later applied on user settings?

    Thursday, January 21, 2016 12:16 PM
  • I see now that my TerminalServer is not in the folder "Folder1" where all other servers are located in the AD, and under the gpoLock10min tab Scope there is a link to "Folder1". Maybe thats why it says "Not Applied" under computer settings?

    But still the user1 is in the "Folder1", so I guess thats why the gpo shows under "Applied Group Policy Objects" for User settings? But it should not say Applied, it should say Filtering: Denied (WMI Filter) like on thinclient1?


    • Edited by Ponf Thursday, January 21, 2016 12:37 PM
    Thursday, January 21, 2016 12:36 PM
  • Am 21.01.2016 um 13:36 schrieb Ponf:
    > But still the user1 is in the "Folder1", so I guess thats why the
    > gpo shows under "Applied Group Policy Objects" for User settings? But it
    > should not say Applied, it should say Filtering: Denied (WMI Filter)
    > like on thinclient1?
     
    So far, the WMI filtering for the user name seems not to work - on the
    TS, please run
     
    wmic win32_computersystem get username
     
    I assume that this will list not only the current user, but all users
    logged on - and so there will always be a user that has a different name :)
     
    Thursday, January 21, 2016 12:53 PM
  • It says:
    win32_computersystem - Alias not found

    Have I misunderstood what you mean, should I replace some commands with my names? What is this command suppose to do? Did some google search but didn't find anything...

    I am not testing this on the real TS yet, I'm testing first on another similair server that should have similair setup.

    Thursday, January 21, 2016 1:56 PM
  • > wmic win32_computersystem get username
     
    My fault...
     
    wmic computersystem get username
    or
    wmic path win32_computersystem get username
     
    ;)
     
    Thursday, January 21, 2016 3:17 PM
  • Why not use security filtering instead of WMI?

    https://support.microsoft.com/en-us/kb/816100


    Mike Crowley | MVP
    My Blog -- Baseline Technologies

    Thursday, January 21, 2016 3:21 PM
  • Martin Binder:

    I ran the first command on a test TS and it listed one other user that was logged in (there was only one), but dit not list myself.

    A then ran the command on the TS where user1 was logged in, but it didnt liste any person at all. Neither myself or user1 (there was no ohter logged in).

    So what does this say?

    Friday, January 22, 2016 11:15 AM
  • Mike Crowley:

    I dont know why this is not used... Either the person who did this doesnt know this (not here anymore), or maybe it was on purpose...? I have tested it on my test system and it seems to work. I first tested the WMI solution on myself but it didnt work there either. I then tested the Delegation on myself and it seems to work. I have not tested on my real production TS.

    Could there be any problem doing this? Why would you use WMI filter to exclude people if you can choose Delegation alternative? Because some people seems to use WMI for this if you google it.

    Friday, January 22, 2016 11:22 AM
  • > I ran the first command on a test TS and it listed one other user that
    > was logged in (there was only one), but dit not list myself.
     
    That's what I expected - it does not give the wanted result. From the
    class definition on MSDN:
     
    Name of a user that is logged on currently. This property must have a
    value. In a terminal services session, UserName returns the name of the
    user that is logged on to the console—not the user logged on during the
    terminal service session.
     
     
    Friday, January 22, 2016 11:54 AM