0

I need to create a group policy object (GPO) that will disable printer redirection for all computers except certain servers.

I considered making a security group and adding all the computers except the servers that I wanted to permit printer redirection on and then applying security filtering on the GPO so only the computers that are a member of the security group will not have printer redirection. Due to the number of servers in the environment and the number of technicians making changes in Active Directory (AD) I feel that people will not remember to add new computers to the security group. :) So, I want to create a GPO that applies to all computers but has a rule that excludes the members of a security group from the GPO.

I believe that I want to do this with a WMI filter but I don't know how to create a WMI filter and the examples I found do not seem to give me the information I need to create the required WMI filter.

The example I found is this.

Select * From Win32_Group where Name <> "security group"

Can someone help me edit this WMI filter to identify all servers that are not members of that security group.

user5870571
  • 2,900
  • 2
  • 11
  • 33
user1276012
  • 1
  • 1
  • 2
  • 2
    This doesn't make any sense. Why not use a deny ACE on the GPO instead of a WMI filter? – Greg Askew Jun 22 '16 at 16:14
  • Yes that would work, but a deny ACE can be tricky, because it can have sideeffects and it is hard to find, because nobody is thinking about this ... :/ Therefore a WMI-filter would make things easier. – user1276012 Jun 23 '16 at 09:40
  • 2
    There's nothing tricky. A WMI filter does not make it easier. You're taking something simple and way over-complicating it. – Greg Askew Jun 23 '16 at 13:31

1 Answers1

0

Here is how you write a WMI filter to find all computers that are not a member of the security group named "AnswerGroup".

Select * from Win32_GroupUser Where GroupComponent <> "Win32_Group.Domain='domain',Name='AnswerGroup'"

You need to change AnswerGroup to the name of the security group that contains the computers that should be allowed to have printer redirection. You need to change domain to the name of your domain.

user5870571
  • 2,900
  • 2
  • 11
  • 33
  • Is namespace "root\CIMV2" correct? Hm, if I set up the filter like this: Select Win32AccountName from Win32_GroupUser Where GroupComponent <> "Win32_Group.Domain='subdom.dom.de',Name='PERM-D-CSC-PRINTERREDIRECTION-SERVER'"‌​, it seems to be false all the time and is filtered out. The server doesnt show up in the new group PERM-D-CSC-PRINTERREDIRECTION-SERVER I created on gpresult /r ... – user1276012 Jun 21 '16 at 08:25
  • ok now I was able to reboot the two excluded servers, the group is now listed under "gpresult /r", but for all systems the GPO is not assigned, it is for all the same: The following GPOs were not applied because they were filtered out ------------------------------------------------------------------- BRM_PRINTER_REDIRECTION Filtering: Denied (WMI Filter) WMI Filter: No Printer Redirection – user1276012 Jun 21 '16 at 20:27
  • It seems to be a problem with "Win32AccountName ", if I replace that by * the query works. It also fails again with "Win32_Account" :/ – user1276012 Jun 21 '16 at 20:50
  • hrhr although it works the only positive thing is that the GPO is assigned, but it is assigned also to the two exceptions :( – user1276012 Jun 21 '16 at 20:59
  • What is the current version of the WMI rule? – user5870571 Jun 21 '16 at 22:34
  • select * from Win32_GroupUser Where GroupComponent <> "Win32_Group.Domain='subdom.dom.de',Name='PERM-D-CSC-PRINTERREDIRECTION-SERV‌​ER'" with that one the GPO is assigned to all servers, even the two exceptions. The query returns over 94.000 objects by the way – user1276012 Jun 22 '16 at 08:10
  • I believe @user5870571 is referring to `wbemtest`. – tfrederick74656 Jun 23 '16 at 03:36
  • Yes, I had the same problem with using Select Win32AccountName so I changed it back to Select *. Have you tried using wbemtest to check the WMI query output? – user5870571 Jun 23 '16 at 03:37
  • Yes i used wbemtest, the returns ~94.000 entries on <>, if i change from <> to = for testing it returns only the two exceptions. So basically it looks ok, but the policy is assigned to all. – user1276012 Jun 23 '16 at 06:41
  • In the ~94000 it returns are the 2 exceptions included? – user5870571 Jun 23 '16 at 11:27
  • CAn I export the query result from wbemtest? otherwise hard to test :/ – user1276012 Jun 24 '16 at 08:42
  • I'm not sure if you can do it directly from wbemtest or if you need to write a script outside of wbemtest. I have asked that question on SO http://stackoverflow.com/questions/38014527/is-there-a-way-to-export-the-results-of-a-wmi-query-using-wbemtest. – user5870571 Jun 24 '16 at 13:23
  • The answer to that question appears to be no. http://stackoverflow.com/questions/38014527/is-there-a-way-to-export-the-results-of-a-wmi-query-using-wbemtest/38016560#38016560 – user5870571 Jun 24 '16 at 16:00