Exclude OU in wmi filtering RRS feed


  • I want to exclude OUs named such as IT,HR in WMI Filtering.

    How can i do this?

    I do not believe if you can do this via WMI filtering, but there should be a way using other methods. One method is to create a group and add all computers and users and groups to that group and deny apply group policy permissions. Assuming you have an OU called HR, you can get all objects in that OU and automatically add them to the group. This process is called a shadow group. This is a simple script which can be used to update the group membership:

    Get-ADObject -Filter * | where {($_.distinguishedname -like "*OU=HR,DC=Contoso,DC=Com*") -and ($_.ObjectClass -ne "organizationalUnit")} | % {Add-ADGroupMember -Identity YourGroup $_ }
    Basically what this script does is to query user objects and computer accounts and groups in an OU and add them to YourGroup group. Then you can deny apply group policy on this group.

    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    • Proposed as answer by Mary Dong Tuesday, December 8, 2015 1:48 AM
    • Marked as answer by Mary Dong Wednesday, December 9, 2015 1:36 AM
    Sunday, November 29, 2015 6:36 AM