You can link GPO's to a domain, a site or an OU and apply a security filter to link the GPO to a particular group of users or computers.
In many cases this is all there is to it, but sometimes that doesn't do the job. For example, you want to install a software package on 64Bit versions of Windows only. Or you might want to add a firewall rule to computers that are running the DHCP server service. These are the moments when you need WMI filters.
This article describes the following:
WMI is an uniform way to gain access to system or administrative information in a database-like kind of way. Most common syntax of a WMI query is:
SELECT [property] from [wmi class]
You create a WMI filter following the next steps:
1. Start Group Policy Management Console and connect to the domain.
2. Right click WMI Filters en choose New.
3. Enter a title and description for the filter and click Add.
4. Enter the query and click OK.
5. Repeat steps 3 and 4 if you want to enter multiple queries in 1 filter.
6. Click Save.
It looks simple and in fact it is. The harder part is how to build the query.
If you have any scripting experience (or just the feeling) I recommend downloading Microsoft's WMI Code Creator.
This tools makes it easy to create and test a WMI query just by selecting the class, property and value. The screen dumps shows how to create the a filter that checks the existence of drive D:.
Download: WMI Code Creator
There's a wide spread rumor that WMI filtering shouldn't be used because it is slow. You should keep in mind that WMI is a powerful tool. It's possible to create a query that searches the entire C: drive to see if there is a file named coffee.txt. Yes, that would be a slow query.
The examples in this article though are much simpler and most shouldn't take more than a second to execute. When in doubt it is wise to measure the time to execute.
Far more easy than creating a filter is to use someone else's filters. These examples are tested on Windows 2008 R2 and Windows 7 and should work on earlier Windows versions.
If not mentioned otherwise, the namespace used in the examples is root\CIMv2.
Computer is a laptop (because it has a battery)
SELECT * FROM Win32_Battery
Screen resolution is at least 1280x720
SELECT * FROM Win32_DisplayControllerConfiguration WHERE HorizontalResolution>1279 AND VerticalResolution>719
System is running on batteries
SELECT * FROM BatteryStatus Where Discharging = True
NOTE: Namespace for this filter: \root\WMI
Computer has at least 2GB RAM memory
SELECT * FROM Win32_ComputerSystem WHERE TotalPhysicalMemory > 2000000000
Drive D: contains at least 100GB free space
SELECT * FROM Win32_LogicalDisk WHERE FreeSpace > 100000000000 AND Caption = "D:"
Computer contains an Intel Processor
SELECT * FROM Win32_Processor WHERE Manufacturer = "GenuineIntel"
Computer has more than 2 logical processors
SELECT * FROM Win32_ComputerSystem where NumberOfLogicalProcessors > 2
Computer has more than 1 physical processor
SELECT * FROM Win32_ComputerSystem where NumberOfProcessors > 1
Computer contains an IRDA device
SELECT * FROM CIM_InfraredController
Computer contains a floppy drive
SELECT * FROM Win32_FloppyDrive
Computer contains an active Trusted Platform Module (TPM)
SELECT * FROM Win32_Tpm WHERE IsEnabled_InitialValue = True
NOTE: Namespace for this filter: root\CIMV2\Security\MicrosoftTpm
Computer is a Compaq Presario SR5115NL
SELECT * FROM Win32_ComputerSystem WHERE manufacturer = "Compaq-Presario" and Model = "GN729AA-ABH SR5115NL"
64 bits OS installed
SELECT OSArchitecture FROM Win32_OperatingSystem WHERE OSArchitecture = "64-bit"
OS Windows 7
SELECT * FROM Win32_OperatingSystem WHERE Version = "6.1%" and ProductType = "1"
OS Windows 7 with service pack 1
SELECT * FROM Win32_OperatingSystem WHERE Version = "6.1%" and ProductType = "1" and ServicePackMajorVersion = "1"
OS Windows Vista
SELECT * FROM Win32_OperatingSystem WHERE Version = "6.0%" and ProductType = "1"
OS Windows XP
SELECT * FROM Win32_OperatingSystem WHERE Version = "5.1%" and ProductType = "1"
OS windows 2000 workstation
SELECT * FROM Win32_OperatingSystem WHERE Version = "5.0%" and ProductType = "1"
OS Windows 2008 R2 server
SELECT * FROM Win32_OperatingSystem WHERE Version = "6.1%" and ProductType <> "1"
OS Windows 2008 R2 server with service pack 1
SELECT * FROM Win32_OperatingSystem WHERE Version = "6.1%" and ProductType <> "1" and ServicePackMajorVersion = "1"
OS Windows 2008 server
SELECT * FROM Win32_OperatingSystem WHERE Version = "6.0%" and ProductType <> "1"
OS Windows 2003 server
SELECT * FROM Win32_OperatingSystem WHERE Version = "5.2%" and ProductType <> "1"
OS windows 2000 server
SELECT * FROM Win32_OperatingSystem WHERE Version = "5.0%" and ProductType <> "1"
Time zone + 1 (bias is the time zone GMT+0 offset in minutes)
SELECT * FROM win32_timezone WHERE bias = 60
Windows feature webserver is installed
SELECT * FROM Win32_ServerFeature WHERE Name="Web Server (IIS)"
Service DHCP Server starts automatically
SELECT * FROM Win32_Service WHERE Caption="DHCP Server" AND StartMode="Auto"
Share Backup$ is defined on this computer
SELECT * FROM Win32_Share WHERE Caption="Backup$"
File C:\windows\system32\notepad.exe exists
SELECT * FROM CIM_Datafile WHERE Name="C:\\windows\\system32\\notepad.exe"
Local user JDoe exists
SELECT * FROM Win32_UserAccount WHERE Name="JDoe" AND LocalAccount=True
Local group WSUS-administrators exists
SELECT * FROM Win32_Group WHERE LocalAccount=True AND Name="WSUS-administrators"
Microsoft Office is installed (slow query!!)
SELECT * FROM Win32_Product WHERE Caption LIKE "Microsoft Office%"
Computer is an AD client computer
SELECT ProductType FROM Win32_OperatingSystem WHERE ProductType = "1"
Computer is an AD domain controller
SELECT ProductType FROM Win32_OperatingSystem WHERE ProductType = "2"
Computer is an AD member server
SELECT ProductType FROM Win32_OperatingSystem WHERE ProductType = "3"
AD Site-name is Amsterdam
SELECT * FROM Win32_NTDomain WHERE ClientSiteName = "Amsterdam"
It is monday (1=monday, 2=thuesday, etc)
SELECT DayOfWeek FROM Win32_LocalTime WHERE DayOfWeek = 1
It is February (1=Januari, 2=February, etc)
SELECT DayOfWeek FROM Win32_LocalTime WHERE month = 2
You succeeded in creating the WMI filter and applied it to a GPO, but does it work correctly? To test this you can run Group Policy Results in the Group Policy Management Console.
The screen dump shows the WMI filter applied to GPO Dummy having value True, which means that the GPO will be applied.
NOTE: You might need to refresh the policies using gpupdate
If you are familiair with Powershell you can check the performance of the WMI filter using the command:
measure-Command {Get-WmiObject -query '[query]'}
This post applies to: Windows 2003, Windows 2008, Windows 2012, Windows XP, Windows Vista, Windows 7, Windows 8.
ZEDA.nl
Tips & Tweaks for Windows
You have declined cookies. This decision can be reversed.
You have allowed cookies to be placed on your computer. This decision can be reversed.