I'm wondering if there is a way to have a WMI query check the OU of the user logging on. I'd like a GPO (linked to Citrix servers OU) to apply only to users if the user is in a certain OU - this is for Citrix so the overly obvious answer of - well just link it to the OU the user is in does not apply. This also cannot be done using security groups because a long time ago those started to get used as Distribution Groups also and now too many are widely inaccurate. Lastly I need to apply this to the entire GPO as there are more than just group policy preferences included so I can't use the item-level targeting feature either. But my OUs are accurate so I'd like to use those if I can. I'd like a WMI query filter to say, apply GPO if user is member of OU 'x'
that doable?
Group policies are applied to OUs. Filtering can be applied via groups or wmi queries. In your case the best way to solve your problem would be to create another group that contains the users you want to affect via this policy. It is possible to get the information you want via wmi but it's not trivial. See Mapping Active Directory Classes
And if dealing with 'Mapping Active Directory Classes' scares you, there is another way. If you can live with a bit of a lag between user-moves and when the GPO applies to them, creating a batch process that maintains a series of groups that indicate which users are in which OU's. For instance.
grp.ou-members.acct.receivable
Would contain all the users in the /Acct/Receivable OU. Then you could use a group filter instead of a complex WMI filter. It wouldn't be real-time, unless you have some Identity Management System hooks you can exercise to make it so, but it would do the job. These kind of groups are fairly easy to create and maintain with PowerShell scripting.