In this article we will talk about WMI (Windows Management Interface) filtering in group policies. This technology allows to create different rules to choose which AD domain objects or OU to apply a group policy to.
Usually WMI filtering for group policies can be used when multiple objects (users or computers) are located in the flat AD structure instead of the separate OU or if you have to apply policies, e. g., according to the OS role, its version, network configuration or any other criterion that can be specified with Windows Management Instrumentation settings. When the client is processing the group policies, Windows will check if it corresponds to the given WMI-filter, and in case it does, the policy will be applied.
It is to be recalled that WMI-filters for the group policies appeared in Windows XP, and the latest Windows versions (Windows Server 2003, 2008, 2012 and Windows Vista, 7, 8) also supportthis technology. WMI filtering of the GPO does not work in Windows 2000 family so you’ll have to upgrade! (I think, 14 years are enough to upgrade from the earlier OS version to a newer one.).
WMI-filters are one of the types of Active Directory objects, they are stored in the section CN=System, CN=WMIPolicy, CN=SOM.
The WMI query that allows to pick out all servers running Windows Server 2012 will look like that:
SELECT * FROM Win32_OperatingSystem WHERE Version LIKE “6.2%” AND (ProductType = “2″ OR ProductType = “3″)
If you are interested in other Windows versions, use the following values of the Version setting of the WMI:
- Windows Server 2012 R2 and Windows 8.1 – 6.3%
- Windows Server 2012 and Windows 8 – 6.2%
- Windows Server 2008 R2 and Windows 7 – 6.1%
- Windows Server 2008 and Windows Vista – 6.0%
- Windows Server 2003 – 5.2%
- Windows XP – 5.1%
- Windows 2000 – 5.0%
Whether the target machine is a client or a server, you have to specify the following value of the ProductType setting:
- Client: ProductType=1
- Domain controller: ProductType=2
To filter all computers running Windows 8.1, a WMI query looks like this:
SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "6.3%" AND ProductType = "1"
If you need all servers running Windows Server 2012 R2, the query is like that:
SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "6.3%" AND ( ProductType = "2" OR ProductType = "3" )
After the WMI-filter was created, you have to link it to a group policy. To do it, find the necessary group policy and choose the filter you created in the drop down menu of the WMI Filtering section.
You have to wait till the policies are applied on the test clients or run a force update with the command
gpupdate /force Check if the policy is applied only for the servers running Windows Server 2012. To view the applied policies run the command
gpresult /r (more about using GPResult)
Here are a number of WMI queries you can use to create WMI-filters for the group policies:
To pick out all machines with Internet Explorer 8 installed:
SELECT path,filename,extension,version FROM CIM_DataFile WHERE path="\\Program Files\\Internet Explorer\\" AND filename="iexplore" AND extension="exe" AND version>"8.0"
To pick out 32-bit OSs:
SELECT * FROM Win32_Processor WHERE AddressWidth = "32"
To pick out 64-bit OSs:
SELECT * FROM Win32_Processor WHERE AddressWidth = "64"
To pick out computers with the RAM over 1 GB:
SELECT * FROM WIN32_ComputerSystem WHERE TotalPhysicalMemory >= 1073741824