How to scope Group Policy with WMI filters

In this article you will learn how to create Group Policy Objects (GPOs) by leveraging the power of Windows Management Instrumentation (WMI).

Timothy Warner By Timothy Warner - Fri, January 27, 2012 - 3 comments

Timothy Warner is a Windows systems administrator, software developer, author, and technical trainer based in Nashville, TN.

The traditional method for scoping Group Policy Objects (GPOs) in Windows Server 2008 Active Directory is to perform the following actions:

  • Ensure that the GPO is linked to the appropriate Active Directory object (for instance, site, domain, OU)
  • Use security filtering to ensure that the GPO affects only specified user and/or computer accounts

Security filtering a GPO

Security filtering a GPO

What many Windows systems administrators do not know (or may not want to know due to the learning curve involved) is that we can also use Windows Management Instrumentation (WMI) filtering to dynamically scope Group Policy.

WMI is extremely powerful in GPO application because we can target systems based upon hardware and software attributes such as CPU architecture, operating system, free disk space, BIOS version, and so forth.

It should be noted that because your WMI filters are parsed during every Group Policy refresh, WMI filters in GPOs are best reserved for time-limited scenarios to avoid undue performance impact on your domain controllers.

For instance, you may want to deploy a GPO with a WMI filter that scopes the policy for Windows 7 clients that have a particular hotfix applied in order to undo the installation. After your machines have ingested and processed the GPO, you can simply unlink the WMI filter or disable the GPO entirely.

Creating a WMI filter

To build your first WMI filter, fire up the Group Policy Management Console and expand your domain to expose the WMI Filters container. Next, right-click WMI Filters and select New from the shortcut menu.

Group Policy - Creating a New WMI Filter

Creating a New WMI Filter

In the New WMI Filter dialog box, add a name and (optionally) a description for your new WMI filter. Next, we can build the actual WMI Query Language (WML) query by clicking Add.

New WMI Filter

New WMI filter

WMI filters consist of two components: (a) the WMI namespace; and (b) the WQL query. The vast majority of Windows systems administration-related WMI classes are contained within the root\CIMv2 namespace.

If you have used the Structured Query Language (SQL) before, then you will be instantly comfortable with the basic syntax of the WQL language. If not, then you have a bit of a learning curve in front of you.

Please check out the following links for some useful assistance in writing WQL:

In the following example screenshot, my WQL query targets domain systems that run Windows XP Professional.

A WQL query

A WQL query

Note that a single WMI filter can consist of more than one WQL query statement. Once you’ve saved your work, your new filter(s) will appear in the WMI Filters node in Group Policy Management Console.

NOTE: Active Directory replication ensures that both your WMI filters as well as your GPOs are available on all domain controllers.

Linking a WMI filter to a GPO

To link a WMI filter to a GPO using the GPMC, view the properties of the target GPO. Next, open the WMI Filtering drop-down list, which is now populated with any previously created WMI filters. Select the appropriate filter from the list—once you propagate the GPO to your domain, you are finished!

Linking a WMI filter to a GPO

Linking a WMI filter to a GPO

You are probably familiar with the old carpenter’s aphorism “Measure twice, cut once.” This truism is especially relevant for us Windows systems administrators with respect to Group Policy application.

We are faced with the frightening question: How can we know in advance if our WMI filter works? Well, to that end I would like to point you to a nifty free utility by the GPO Guy called the WMI Filter Validation Utility.

The way this tool works is simple: we first have it analyze our GPO infrastructure and report metadata concerning any linked and unlinked WMI filters. This interface is shown in the next screen capture.

The WMI Filter Validator

The WMI Filter Validator

We can then test a WMI filter by right-clicking its entry in the tool’s interface and selecting Validate from the shortcut menu. This launches a wizard whereby we can target a specific domain member computer.

Validating a WMI filter

Validating a WMI filter

We must remember that a WMI filter is essentially a Boolean True/False test in order for Active Directory to determine whether to apply a given GPO to a given computer. The WMI Filter Validation Utility works wonderfully to test this equation in advance.

WMI validation results

WMI validation results

Conclusion

At this point you should have a solid idea as to what WMI filters are and how we can use them to dynamically scope our GPOs. You also know how to test WMI filter application prior to GPO deployment.

-1+1 - Rate this post
Loading ... Loading ...
Disclaimer
Your question wasn't answered? Please ask in the new 4sysops forum!

3 Comments- Leave a Reply

  1. Ingmar says:

    I wrote a similar post a while back: http://www.eventlogblog.com/blog/2009/10/useful-wmi-queries-to-filter-g.html.

    I didn’t know about the validation utility however.

    Thanks!

  2. moven says:

    this was very helpful to mi ,,thanx

  3. Martin says:

    Is it possible to write a WQL query that checks whether a specific Service is NOT installed on some machines?

    I tried: “Select * From Win32_Service
    Where Not Name = “ABCService” “, but this gives “True” always…

Please share your thoughts in a comment!

Login

Lost your password?