locked
control user policy per computer RRS feed

  • Question

  • How can one target user policies to specific computers? Security filtering for computer-groups does not block user policies to apply. In detail, I have some Office 2010 user settings to propagate to computers that have Office 2010 installed and only to those.

    I also tried WMI filter based on group membership, but it didn' work either. It filtered out on all computers, including member computers. Maybe the WQL is wrong:  SELECT * FROM Win32_GroupUser WHERE GroupComponent="Win32_Group.Domain=\"DOMAIN\", Name=\"Computers-with-Office2010\""

    Thanks, Jan

     

     

    Wednesday, October 12, 2011 2:52 PM

Answers

  • Hi,

     First, applying the settings to computers that don't have Office 2010 should impact them since those registry keys are not in use.

     Second, you can just use a WMI filter that's looking for Office 2010 install: Select * from Win32_Product where (caption like "%Microsoft Office Professional%2010%" and Version like "14.1%")

     The above filter would be limited to SP1. You can using the following commands to check for the right strings:

    wmic path Win32_Product where (Caption like "%Microsoft Office%2010%") get caption

    wmic path Win32_Product where (Caption like "%Microsoft Office Professional%2010%") get Version

     

    Thanks,

    Guy

    • Marked as answer by u.jan Saturday, October 15, 2011 8:12 PM
    Wednesday, October 12, 2011 3:01 PM

All replies

  • Hi,

     First, applying the settings to computers that don't have Office 2010 should impact them since those registry keys are not in use.

     Second, you can just use a WMI filter that's looking for Office 2010 install: Select * from Win32_Product where (caption like "%Microsoft Office Professional%2010%" and Version like "14.1%")

     The above filter would be limited to SP1. You can using the following commands to check for the right strings:

    wmic path Win32_Product where (Caption like "%Microsoft Office%2010%") get caption

    wmic path Win32_Product where (Caption like "%Microsoft Office Professional%2010%") get Version

     

    Thanks,

    Guy

    • Marked as answer by u.jan Saturday, October 15, 2011 8:12 PM
    Wednesday, October 12, 2011 3:01 PM
  • Guy,

    thanks for the workaround, it's not that fast, but sure does it. Still, how do you wmi filter for group membership? Sg like, is computer member of first-floor-computers? WMI runs before security filtering, and it can be used to control policies regardless of that the settings are computer or user. I thought this is sort of an everyday task in AD and GP, but haven't found anything close to this. What am i missing here? What's the best practice?

     


    • Edited by u.jan Saturday, October 15, 2011 8:13 PM
    Saturday, October 15, 2011 8:12 PM
  • I figured out on the command line how Win32_GroupUser work:

    wmic PATH Win32_GroupUser WHERE (GroupComponent="Win32_Group.Domain='DOMAIN',Name='ComputerGroup'" and PartComponent="Win32_UserAccount.Domain='DOMAIN',Name=\"%COMPUTERNAME%$\"")

    This doesn't work in the GP WMI Filtering. The gpresult says Denied. Any idea?

     

    Saturday, October 15, 2011 11:35 PM
  • I figured out on the command line how Win32_GroupUser work:

    wmic PATH Win32_GroupUser WHERE (GroupComponent="Win32_Group.Domain='DOMAIN',Name='ComputerGroup'" and PartComponent="Win32_UserAccount.Domain='DOMAIN',Name=\"%COMPUTERNAME%$\"")

    This doesn't work in the GP WMI Filtering. The gpresult says Denied. Any idea?

     

    I'm having exactly the same issue. I Need to create a WMI filter for a Group of Computer accounts so that a user specific GPO can be applied to those Computers only.

    I figured our that select * from Win32_ComputerSystem where DNSHostName = 'NameOfTheComputer' will work fine for one particular computer. In that case I have to Change the WMI query anytime another Computer will be added or removed.

    Any more ideas?


    Kind regards, Thomas

    Wednesday, August 15, 2012 12:15 PM
  • Am 16.03.2013 00:29, schrieb BoxenHrrDrr:
    >
    > I know that this is a pretty old thread, but I once would have liked
    > to do something like this as well. It would have been nice to find an
    > answer online instead of spending so much time racking my brain, so
    > I'll share in the hope that someone else finds this useful.
    >
    > I ended up doing something that wasn't quite as clean, but still
    > functionally similar by matching computernames in the query.
    >
    >     Example:
    >
    >         Select * from Win32_ComputerSystem Where name="COMPUTER1" OR
    > name="COMPUTER2" OR name="COMPUTER3" OR name="COMPUTER4"
    >
     
    That's not really useful - better use Loopback processing...
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    Saturday, March 16, 2013 12:10 AM