GPO WMI username filter not working over RDP

Question

I'm trying to write a WMI filter to prevent a GPO from applying to certain users

SELECT * from Win32_ComputerSystem WHERE NOT UserName LIKE 'domain\\user1_%' AND NOT UserName LIKE 'domain\\user2_%'

This works correctly if the user is logged onto the console but always returns false if the user is logged on via RDP.

Mark

EDIT:

There does seem to be a way to achieve this, it's described in method two of this article. Though, I am unsure of how to construct the query using Win32_Process?

Under normal circumstances, yes. But it must work universally. — , Nov 29 '12 at 21:32
Is there anyone out there that could possibly shed some light on this issue? — , Dec 04 '12 at 17:33
Try running gpresults against the computer and user when the user is logged on via RDP to see if anything stands out. — joeqwerty, Dec 04 '12 at 18:02

score 1 · Answer 1 · answered Nov 29 '12 at 13:13

1

Don't use a WMI filter for that. Use an Access Control Entry for "Apply Group Policy" permission on the GPO object to specify a group for which the GPO should be applied/denied. You would also need to ensure that loopback policy processing is enabled.

answered Nov 29 '12 at 13:13

Greg Askew

34,339
3
52
81

Greg, I'm trying to avoid the use of Active Directory security groups and GPO security filtering/delegation. As you can see the WMI filter above uses wildcards - it will potentially be filtering out hundreds of different user accounts. Maintaining those users within their respective security groups would be a nightmare. – Nov 29 '12 at 21:43
If the users do in fact have a consistent naming schemes, a scheduled task that ensures that accounts with these username patterns are in the appropriate groups is actually fairly trivial. Arguably, adjusting a filter in a PowerShell script (or equivalent) is easier to achieve -- and easier to troubleshoot -- than a WMI filter in a GPO. – Semicolon Oct 07 '19 at 21:48

GPO WMI username filter not working over RDP

1 Answers1