negative WMI-Filter for security filtering in GPO

Posted on

A server stack is the collection of software that forms the operational infrastructure on a given machine. In a computing context, a stack is an ordered pile. A server stack is one type of solution stack — an ordered selection of software that makes it possible to complete a particular task. Like in this post about negative WMI-Filter for security filtering in GPO was one problem in server stack that need for a solution. Below are some tips in manage your windows server when you find problem about windows, active-directory, group-policy, wmi, filter.

I need to create a group policy object (GPO) that will disable printer redirection for all computers except certain servers.

I considered making a security group and adding all the computers except the servers that I wanted to permit printer redirection on and then applying security filtering on the GPO so only the computers that are a member of the security group will not have printer redirection. Due to the number of servers in the environment and the number of technicians making changes in Active Directory (AD) I feel that people will not remember to add new computers to the security group. 🙂 So, I want to create a GPO that applies to all computers but has a rule that excludes the members of a security group from the GPO.

I believe that I want to do this with a WMI filter but I don’t know how to create a WMI filter and the examples I found do not seem to give me the information I need to create the required WMI filter.

The example I found is this.

Select * From Win32_Group where Name <> "security group"

Can someone help me edit this WMI filter to identify all servers that are not members of that security group.

Here is how you write a WMI filter to find all computers that are not a member of the security group named “AnswerGroup”.

Select * from Win32_GroupUser Where GroupComponent <> "Win32_Group.Domain='domain',Name='AnswerGroup'"

You need to change AnswerGroup to the name of the security group that contains the computers that should be allowed to have printer redirection. You need to change domain to the name of your domain.

Leave a Reply

Your email address will not be published. Required fields are marked *