We have a need to lock certain users down to a very restrictive desktop on our terminal servers as well as only serve them a single application which will auto launch. I have a GPO setup for each need but cannot figure out how to only apply these GPOs to the particular user(s) that we need to enforce this on.
The WMI filter was my first guess without diving into the Group Policy Loopback ( which could cause issues with our current AD structure and associated GPOs ). My issue is writing the WQL statement to suit my needs.
I tried [SELECT * FROM W32.ComputerSystem WHERE UserName = 'domain\username'] but this query always provided a false return. My guess is because of the terminal server environment but im not positive. Looked slightly into the W32.TSAccount class but didn't see anything useful there as well.
Anyone have ideas or literature you could reference me too so i can dive further into this? Any help would be MUCH appreciated as im no AD/GPO guru.
You don't need to do a WMI Filter, you can just setup a security filter on the GPO. My suggestion would be to create a group with all users you want the filtering to apply to first. Then, in GPMC (if you don't have it i HIGHLY suggest you get it Built-in to Windows 7 and 2008, MS Download for older versions of windows ) select the policy you want to apply the security filter on then in the scope tab, in the security filtering section (Below Links, above WMI filtering) remove "authenticated users" and add you group.
Take a look at Group Policy Preferences, it allows you to apply options based on group membership.
Getting Started
Mapping Drives