I'm wondering if there is a way to have a WMI query check the OU of the user logging on. I'd like a GPO (linked to Citrix servers OU) to apply only to users if the user is in a certain OU – this is for Citrix so the overly obvious answer of – well just link it to the OU the user is in does not apply. This also cannot be done using security groups because a long time ago those started to get used as Distribution Groups also and now too many are widely inaccurate. Lastly I need to apply this to the entire GPO as there are more than just group policy preferences included so I can't use the item-level targeting feature either. But my OUs are accurate so I'd like to use those if I can. I'd like a WMI query filter to say, apply GPO if user is member of OU 'x'
that doable?
Best Answer
Group policies are applied to OUs. Filtering can be applied via groups or wmi queries. In your case the best way to solve your problem would be to create another group that contains the users you want to affect via this policy. It is possible to get the information you want via wmi but it's not trivial. See Mapping Active Directory Classes