Friday, August 8, 2014

WMI filtering using GPMC

WMI filtering

Windows Management Instrumentation (WMI) filters allow you to dynamically determine the scope of Group Policy objects (GPOs) based on attributes of the target computer.
When a GPO that is linked to a WMI filter is applied on the target computer, the filter is evaluated on the target computer. If the WMI filter evaluates to false, the GPO is not applied (except if the client computer is running Windows 2000, in which case the filter is ignored and the GPO is always applied). If the WMI filter evaluates to true, the GPO is applied.
WMI makes data about a target computer available for administrative use. Such data can include hardware and software inventory, settings, and configuration information. For example, WMI exposes hardware configuration data such as CPU, memory, disk space, and manufacturer, as well as software configuration data from the registry, drivers, file system, Active Directory, the Windows Installer service, networking configuration, and application data.
A WMI filter consists of one or more queries based on this data. If all queries are true, the GPO linked to the filter will be applied. The queries are written using the WMI Query Language (WQL), a SQL-like language. Queries can be combined with AND and OR logical operators to achieve whatever effect the administrator wants. Each query is executed against a particular WMI namespace. When you create a query, you must specify the namespace. The default is root\CIMv2, which is appropriate for most WMI queries.
The WMI filter is a separate object from the GPO in the directory. To apply a WMI filter to a GPO, you link the filter to the GPO. This is shown in the WMI filtering section on the Scope tab of a GPO. Each GPO can have only one WMI filter, however the same WMI filter can be linked to multiple GPOs.
WMI filters, like GPOs, are stored on a per-domain basis. A WMI filter and the GPO it is linked to must be in the same domain.
  • Client support for WMI filters exists only on Windows XP, Windows Server 2003, and later operating systems. Windows 2000 clients will ignore any WMI filter and the GPO is always applied, regardless of the WMI filter.
  • WMI filters are only available in domains that have at least one Windows Server 2003 domain controller. In an environment consisting only of Windows 2000 domains, the WMI filter node in Group Policy Management Console (GPMC) is not shown.

Using WMI filters with GPMC

Using GPMC, you can create and delete WMI filters, link and unlink WMI filters, copy and paste WMI filters, import and export WMI filters, and view and edit attributes of WMI filters.

Sample code

The following table shows sample code for several WMI filters.


Criterion Administrator's intent WMI filter
Avoid turning on netmon on computers that can have multicasting turned on.
Select * from Win32_NetworkProtocol where SupportsMulticasting = true
Time zone
Apply policy on all servers located on the East Coast of the United States.
Root\cimv2 ; Select * from win32_timezone where bias =-300
Apply a policy on computers that have a specific hotfix.
Root\cimv2 ; Select * from Win32_QuickFixEngineering where HotFixID = 'q147222'
Software inventory
Assign software only on computers already having either of two software packages.
Root\cimv2;Select * from Win32_Product where name = "MSIPackage1" OR name = "MSIPackage2"
Operating system
Only target computers running Windows XP Professional.
Root\CimV2; Select * from Win32_OperatingSystem where Caption = "Microsoft Windows XP Professional"
Target only machines that have at least 600 megabytes (MB) available.
Root\CimV2; Select * from Win32_LogicalDisk where FreeSpace > 629145600 AND Description <> "Network Connection"
Make or model
Target Toshiba Tecra models 800 and 810.
Root\CimV2; Select * from Win32_ComputerSystem where manufacturer = "Toshiba" and Model = "Tecra 800" OR Model = "Tecra 810"

See Also

No comments:

Post a Comment