RE: [ActiveDir] Exclude a specific user (or group) from a GPO (WMI Filter?)

[joe]

LOL. I loved that commercial.   So Rick which monkey were you? The old grey hair enjoying the gluteal attention or the younger one giving the attention?   :o)   Sorry for the relative silence. Been pretty buried helping a customer try to work out various issues with weird attributes in AD in relation to Exchange. Trying to chase down where they are coming from and what is setting them. I am slowly starting to learn about EDM now and attributes it is setting and how it is setting them.   Oh yeah, also putting finishing touches on ADFIND V01.26.00... I had to fix it for something in K3 SP1 and I wanted a few features for something else so I added them in. One that people may like allows them to get the owner of objects easily. It will output as a regular attribute or I worked out a way to output a DN;owner format.   F:\DEV\cpp\AdFind>adfind -default -s one -ownercsv   AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005   "CN=Builtin,DC=joe,DC=com";"BUILTIN\Administrators" "CN=Computers,DC=joe,DC=com";"JOE\Domain Admins" "OU=Domain Controllers,DC=joe,DC=com";"JOE\Domain Admins" "OU=Exchange,DC=joe,DC=com";"JOE\Domain Admins" "CN=ForeignSecurityPrincipals,DC=joe,DC=com";"JOE\Domain Admins" "CN=Infrastructure,DC=joe,DC=com";"JOE\Domain Admins" "CN=LostAndFound,DC=joe,DC=com";"JOE\Domain Admins" "CN=Microsoft Exchange System Objects,DC=joe,DC=com";"JOE\Domain Admins" "CN=NTDS Quotas,DC=joe,DC=com";"JOE\Domain Admins" "CN=Program Data,DC=joe,DC=com";"JOE\Domain Admins" "CN=System,DC=joe,DC=com";"JOE\Domain Admins" "OU=TestOU,DC=joe,DC=com";"JOE\Domain Admins" "CN=Users,DC=joe,DC=com";"JOE\Domain Admins"     Another fun thing is finding all unique security principals that "own" an AD object.   F:\Dev\CPP\AdFind>adfind -h 2k3dc01 -gc -b -f * -owneronly -nodn -nolabel -q |unique BUILTIN\Administrators CHILD1\Domain Admins JOE\$jricha34 JOE\2K3DC01$ JOE\2K3EXC01$ JOE\2K3EXC02$ JOE\2K3UTL01$ JOE\Domain Admins JOE\Enterprise Admins JOE\FASTMOFO$ JOE\Schema Admins NT AUTHORITY\SYSTEM         joe     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, February 09, 2005 12:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exclude a specific user (or group) from a GPO (WMI Filter?) Yeah – I agree with Darren on this one.  Picture the Yeknom Inc. (CareerBuilder.Com) commercials that aired during the Super Bowl.  Picture a gray-haired Monkey standing in his chair, and a younger chimp kissing his butt.   Yep – American Capitalism at its finest.   -rtk   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Tuesday, February 08, 2005 12:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exclude a specific user (or group) from a GPO (WMI Filter?)   I agree with Joe here (it happens sometimes). Leave the DDP alone for this kind of stuff, esp. if it is also the GPO you use to manage domain account policy. I don't have any problem with you linking the GPO at the domain if it truly applies to almost all users in the domain, esp. if the alternative is having to link the same GPO all over the place to get full coverage anyway. Just put it in a different GPO than the DDP and use a Deny Apply Group Policy ACE for your CEO (or better yet a group containing your CEO).   And, as to why the CEO shouldn't be subject to the same policy as everyone else, its called American Capitalism :-). Since when was a CEO subject to the same anything as the rest of the employees?       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, February 08, 2005 9:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exclude a specific user (or group) from a GPO (WMI Filter?) If you have any intention of excluding your CEO or anyone else from any other policies you should probably better scope your GPOs. Don't make the changes in the domain policy, in fact I rarely recommend anyone change things in that policy except for the things that they absolutely have to. Put the policies down on the OU(s) where the users/computers are. Then place the users and computers in the OU specific to the policy they should have.   BTW, why shouldn't the CEO have a machine configured like everyone else?     joe   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason B Sent: Tuesday, February 08, 2005 10:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exclude a specific user (or group) from a GPO (WMI Filter?) In this example, I want to exclude our CEO from having a forced IE start page through GPO, while the remainder of our domain keeps a forced homepage.  Is the best way to go about this, to write a WMI filter to exclude that specific user, or is there some better way to do it, as we have this set in our Default Domain Policy?   If so, can anyone point me to a good tutorial for writing such a WMI script?   Thanks.