WMI Filter in GPO by UserName/UseGroup

We have a need to lock certain users down to a very restrictive desktop on our terminal servers as well as only serve them a single application which will auto launch. I have a GPO setup for each need but cannot figure out how to only apply these GPOs to the particular user(s) that we need to enforce this on.

The WMI filter was my first guess without diving into the Group Policy Loopback ( which could cause issues with our current AD structure and associated GPOs ). My issue is writing the WQL statement to suit my needs.

I tried [SELECT * FROM W32.ComputerSystem WHERE UserName = 'domain\username'] but this query always provided a false return. My guess is because of the terminal server environment but im not positive. Looked slightly into the W32.TSAccount class but didn't see anything useful there as well.

Anyone have ideas or literature you could reference me too so i can dive further into this? Any help would be MUCH appreciated as im no AD/GPO guru.

Ok, GPMC is installed and i have been toying with it, i already had the special OU setup with the selected users included. My biggest thing is even with the GPO setup in this manor using gpresult the GPO never shows up, whether it is being enforced, block, filtered, denied, nothing. From what i have read my TS OU does not import the GPO at all by default unless GPO Loopback is enabled. Bad thing with that is it would affect more than just the group im targeting at the moment. Or maybe im doing something wrong ( which i wouldnt doubt lol )

Scratch that, i apologize i was looking at my notes for the wrong server :(, the TS cluster has loopback enabled-replace already configured. So now im curious as why the new GPO is not showing at all, regardless of the enforced state.

Another scratch that ( bonehead moment ), i was trying to apply the new GPOs to the OU of the users not the term server OU. Now i get the GPOs applied just fine thanks alot! Now onto my logon script not working, i shall return if i need further help!