Posted on May 3, 2017 · Posted in Group Policies

Using WMI Filter to Apply Group Policy to IP Subnet

This time it was necessary to apply GPO to computers in the specific IP subnet. In the simplest case, when the subnet is a part of a separate Active Directory site (and this is the only subnet in the site) you can assign your GPO to the AD site. It is a simple and easy method. In our case, we can’t apply the policy to the whole AD site since several IP subnets is bound to it. We’ll have to use the feature of filtering policies using WMI filters.

Earlier we have considered using WMI filters to apply the specific Group Policy only to the certain Windows versions. In this case, in the same way you have to create a WMI filter and change the query so that it contains the condition to check IP addresses.

  1. Open GPMC.msc (Group Policy Management) console and find WMI Filters section.
  2. Create a new filter. To do it, right-click the section and select New in the context menu.Create new GPO WMI filter
  3. Specify the filter name and its description.
  4. To add a WMI query  click Add.wmi filter on ip subnets
  5. Leave root\CIMv2 as a namespace, and copy the following code to the query window:
    Select * FROM Win32_IP4RouteTable
    WHERE (Mask=''
    AND (Destination Like '191.168.55.%' OR Destination Like '191.168.56.%'))
    wmi query Win32_IP4RouteTable

    Note. In this example, we created a filter that allows to apply the policy to clients using IP address templates with masks 191.168.55.x and 191.168.56.x. Replace these subnets with your own ones.

  6. Save the query.
  7. In GPMC console, select the policy you want to apply.
  8. In the WMI Filtering section of this policy settings, select the created filter in the dropdown list and assign the policy to the OU containing the WMI filter to Group Policy

Note. In some cases, it is more convenient to target a policy to the specific client subnets with the targeting feature of Group Policy Preferences, where you can set a range of IP addresses in one of the filters.

Now you have to update the policies on the clients (gpupdate /force) and make sure they are applied. (To make sure if your GPO has been applied, you can use the standard utility gpresult).

So using a simple WMI filter we can assign a Group Policy to clients in the specific IP networks or to a range of IP addresses.

Related Articles