3

We have a need to lock certain users down to a very restrictive desktop on our terminal servers as well as only serve them a single application which will auto launch. I have a GPO setup for each need but cannot figure out how to only apply these GPOs to the particular user(s) that we need to enforce this on.

The WMI filter was my first guess without diving into the Group Policy Loopback ( which could cause issues with our current AD structure and associated GPOs ). My issue is writing the WQL statement to suit my needs.

I tried [SELECT * FROM W32.ComputerSystem WHERE UserName = 'domain\username'] but this query always provided a false return. My guess is because of the terminal server environment but im not positive. Looked slightly into the W32.TSAccount class but didn't see anything useful there as well.

Anyone have ideas or literature you could reference me too so i can dive further into this? Any help would be MUCH appreciated as im no AD/GPO guru.

jscott
  • 24,484
  • 8
  • 79
  • 100
RPGonzo
  • 65
  • 1
  • 2
  • 5

2 Answers2

2

You don't need to do a WMI Filter, you can just setup a security filter on the GPO. My suggestion would be to create a group with all users you want the filtering to apply to first. Then, in GPMC (if you don't have it i HIGHLY suggest you get it Built-in to Windows 7 and 2008, MS Download for older versions of windows ) select the policy you want to apply the security filter on then in the scope tab, in the security filtering section (Below Links, above WMI filtering) remove "authenticated users" and add you group.

Zypher
  • 37,405
  • 5
  • 53
  • 95
  • Ok, GPMC is installed and i have been toying with it, i already had the special OU setup with the selected users included. My biggest thing is even with the GPO setup in this manor using gpresult the GPO never shows up, whether it is being enforced, block, filtered, denied, nothing. From what i have read my TS OU does not import the GPO at all by default unless GPO Loopback is enabled. Bad thing with that is it would affect more than just the group im targeting at the moment. Or maybe im doing something wrong ( which i wouldnt doubt lol ) – RPGonzo Jul 14 '10 at 13:41
  • Scratch that, i apologize i was looking at my notes for the wrong server :(, the TS cluster has loopback enabled-replace already configured. So now im curious as why the new GPO is not showing at all, regardless of the enforced state. – RPGonzo Jul 14 '10 at 13:47
  • Another scratch that ( bonehead moment ), i was trying to apply the new GPOs to the OU of the users not the term server OU. Now i get the GPOs applied just fine thanks alot! Now onto my logon script not working, i shall return if i need further help! – RPGonzo Jul 14 '10 at 14:13
0

Take a look at Group Policy Preferences, it allows you to apply options based on group membership.

Getting Started

Mapping Drives

Clint
  • 546
  • 2
  • 10