LinkBack URL
About LinkBacks
Reply With Quote1. You are right, administrators etc. are affected by these policys.
2. You can filter anything that you can query with WMI.
Using it as you described it possible and maybe I'm missing something but what is really the problem?
100+ Helpful Posts!
50+ Helpful Posts
First post so be gentle! :wink:
We're currently running a Test Active Directory which will be rolled out to our live system eventually to replace our existing Novell DNS. (i.e. I'm not really an expert on delivering GPs through AD!!)
Essentially, all our users are located in one top level container, whereas workstations are to be distributed amongst different containers as they will be managed by different departments. Redesign of the AD isn't an option for "political" reasonsops:
Essentially, the structure (the bits that matter anyway) looks something like this:
AD
|
|__Users
|
|__Dep1
| |
| |__Workstations
|
|__Dep2
| |
| |__Workstations
|
|
etc.
As departments are going to maintain their own workstations, they will want to apply their own user policies to each user as they log onto their systems.
i.e.
If a user logs onto a machine in Dep1, they should receive Workstation (easy) and User policies created and managed by the Dep1 Administrator.
Likewise if a user logs onto a machine in Dep2, they should receive Workstation (easy) and User policies created and managed by the Dep2 Administrator.
We have had 2 thoughts as to how to do this, but not sure how much mileage there is in either.
1. Loopback policies - would seem to do the trick for 'standard' users, however if I am correct, these policies would apply to anybody logging in to the machines - including Administrators/Power Users?
2. WMI filtering - it is very likely that machines in Dep1 will be in a different IP subnet to machines in Dep2. Can this filtering be achieved by WMI? I've managed to extract the IP Address out of a WMI query, but not sure if I can build a query based on subnet.
Any comments on the above 2 methods, or a completely new way of achieving the desired results would be appreciated.
Thanks.
100+ Helpful Posts!
50+ Helpful Posts
1. You are right, administrators etc. are affected by these policys.
2. You can filter anything that you can query with WMI.
Using it as you described it possible and maybe I'm missing something but what is really the problem?
100+ Helpful Posts!
50+ Helpful Posts
Hi, and thanks for the response.Originally Posted by fantomen
I was initially looking for advice rather than a solution, but now that you've confirmed that WMI would be the best way to achieve this, I have another problem:
It seems that WQL cannot query array fields within WMI, but the IP address field is an array. So as far as I can tell, it is impossible for me to use this field as a WMI filter. Are there any other fields which can be used to identify a machine's IP subnet, or is there a way to query an array field using WMI filters?
Alternatively, is it possible to enter a custom field into the WMI database which you can then use to filter GPs? If this is possible, we could theoretically put an 'identifier' in the WMI database to separate groups of machines.
Cheers
100+ Helpful Posts!
50+ Helpful Posts
You could use policies linked to Active Directory sites instead.
These are defined in AD and associated with IP subnets, so they sound perfect for your implementation.
However, you would have to make sure that the appropriate admins could edit these policies, which would be more fiddly to do.
Don't forget that WMI is completely ignored by Windows 2000 so if you have any of that kicking around, then you need to think hard if you can use WMi at all.
Posting Permissions