I have applied a Logon script via GPO to run BGInfo. As I understand it, as I am setting a User Configuration the GPO must be applied to a User OU. We have an OU called SERVERS which is the only OU we want this GPO to run on, however when I linked the GPO to the SERVERS OU rather than the USERS OU, the GPO was not applied. As the GPO is therefore linked to the USERS OU, it runs on every PC/SERVER in our company – which is not what we want.
If my conclusions are correct so far, I presumed that the only way I could prevent the GPO from running on any OU other than SERVERS is via a WMI Filter, however I cannot seem to create a filter that will work because I cannot access a variable such as %computername%.
I would have thought I wanted a query such as:
gwmi -namespace root\directory\LDAP -query "select * from ds_computer where DS_cn = %computername% AND ds_distinguishedName like '%ou=servers%'"
This would be the equivalent of saying "SELECT * FROM ds_Computer where DS_cn = [Current COMPUTER BEING LOGGED ON TO] AND ds_distinguishedName like '%ou=servers%'"
But this of course will not evaluate.
Am I on the right track here? Or is there a better solution?
Any advice greatly appreciated.
Many thanks
dotdev
Best Answer
You want loopback processing. It runs "User Configuration" items assigned to a Computer's GPO as the user who logs in. So your GPO assigned to the Servers OU with configuration items for Users will run when the user logs in.
Microsoft has a better explanation in Windows Server: Understand “User Group Policy Loopback Processing Mode”