Latest posts by Timothy Warner (see all)
- Netwrix Auditor 8.5 – Detect & investigate unusual user behavior - Tue, Oct 25 2016
- Review: VisualCron, an automation tool with web macro recording - Wed, Oct 12 2016
- Free Windows Admin Tools - Wed, Oct 5 2016
The traditional method for scoping Group Policy Objects (GPOs) in Windows Server 2008 Active Directory is to perform the following actions:
- Ensure that the GPO is linked to the appropriate Active Directory object (for instance, site, domain, OU)
- Use security filtering to ensure that the GPO affects only specified user and/or computer accounts
Security filtering a GPO
What many Windows systems administrators do not know (or may not want to know due to the learning curve involved) is that we can also use Windows Management Instrumentation (WMI) filtering to dynamically scope Group Policy.
WMI is extremely powerful in GPO application because we can target systems based upon hardware and software attributes such as CPU architecture, operating system, free disk space, BIOS version, and so forth.
It should be noted that because your WMI filters are parsed during every Group Policy refresh, WMI filters in GPOs are best reserved for time-limited scenarios to avoid undue performance impact on your domain controllers.
For instance, you may want to deploy a GPO with a WMI filter that scopes the policy for Windows 7 clients that have a particular hotfix applied in order to undo the installation. After your machines have ingested and processed the GPO, you can simply unlink the WMI filter or disable the GPO entirely.
Creating a WMI filter ^
To build your first WMI filter, fire up the Group Policy Management Console and expand your domain to expose the WMI Filters container. Next, right-click WMI Filters and select New from the shortcut menu.
Creating a New WMI Filter
In the New WMI Filter dialog box, add a name and (optionally) a description for your new WMI filter. Next, we can build the actual WMI Query Language (WML) query by clicking Add.
New WMI filter
WMI filters consist of two components: (a) the WMI namespace; and (b) the WQL query. The vast majority of Windows systems administration-related WMI classes are contained within the root\CIMv2 namespace.
If you have used the Structured Query Language (SQL) before, then you will be instantly comfortable with the basic syntax of the WQL language. If not, then you have a bit of a learning curve in front of you.
Please check out the following links for some useful assistance in writing WQL:
In the following example screenshot, my WQL query targets domain systems that run Windows XP Professional.
A WQL query
Note that a single WMI filter can consist of more than one WQL query statement. Once you’ve saved your work, your new filter(s) will appear in the WMI Filters node in Group Policy Management Console.
NOTE: Active Directory replication ensures that both your WMI filters as well as your GPOs are available on all domain controllers.
Linking a WMI filter to a GPO ^
To link a WMI filter to a GPO using the GPMC, view the properties of the target GPO. Next, open the WMI Filtering drop-down list, which is now populated with any previously created WMI filters. Select the appropriate filter from the list—once you propagate the GPO to your domain, you are finished!
Linking a WMI filter to a GPO
You are probably familiar with the old carpenter’s aphorism “Measure twice, cut once.” This truism is especially relevant for us Windows systems administrators with respect to Group Policy application.
We are faced with the frightening question: How can we know in advance if our WMI filter works? Well, to that end I would like to point you to a nifty free utility by the GPO Guy called the WMI Filter Validation Utility.
The way this tool works is simple: we first have it analyze our GPO infrastructure and report metadata concerning any linked and unlinked WMI filters. This interface is shown in the next screen capture.
The WMI Filter Validator
We can then test a WMI filter by right-clicking its entry in the tool’s interface and selecting Validate from the shortcut menu. This launches a wizard whereby we can target a specific domain member computer.
Validating a WMI filter
We must remember that a WMI filter is essentially a Boolean True/False test in order for Active Directory to determine whether to apply a given GPO to a given computer. The WMI Filter Validation Utility works wonderfully to test this equation in advance.
WMI validation results
At this point you should have a solid idea as to what WMI filters are and how we can use them to dynamically scope our GPOs. You also know how to test WMI filter application prior to GPO deployment.