Group Policy – WMI Filters by Operating System

image_pdfimage_print

Have you ever wanted to separate your Active Directory Group Policies from each other based on criteria such as target operating system? Well you are in luck! With some very simple WMI filters you can do exactly that.

Using WMI filters is a simple, and flexible way to create specific target criteria for delivering policies. For my situation, I’d like to be able to create 3 specific policies so that I can ensure that there is no contamination of machines with the incorrect configuration.

We could achieve this using OU structure and manually moving around computer objects, but I would much rather be able to let the system do the heavy lifting and guarantee that I do not have any accidental policy delivery, or worse that no policies get deployed at all to the machines.

From a Domain Controller, or from a workstation running the Remote Server Administration Tools (RSAT), launch the Group Policy Management Console (Start | Administrative Tools | Group Policy Management) or by running GPMC.MSC from the Run command.

gpmc.msc

Expand the Forest and Domain until you will see the  WMI Filters folder towards the bottom of the list. Right click the WMI Filters folder and select New… to create a new filter.

Create new WMI Filter

The first policy we will create is one for Windows Server 2008. I do not need to differentiate between editions (Standard, Enterprise, Web) or chip architecture (x86 or x64) so my filter query will be for any version of Windows Server 2008.

The WMI property we are looking at for this is Caption from the Win32_OperatingSystem. You can look at yours using this simple PowerShell process:

     $wmi = gwmi Win32_OperatingSystem

     $wmi.Caption

PowerShell output

Let’s use the name Windows Server 2008 (all editions) for the name and description field of the new WMI Query

New WMI Filter dialog

Now click on the Add button which brings up the query window. Leave the Namespace as rootCIMv2 and then under the query section type this:

 Select * FROM Win32_OperatingSystem WHERE (Caption LIKE “Microsoft Windows Server 2008%”)

The by appending the % to the LIKE query it means that anything found after the 2008 in the Caption will be accepted. You can also use the Version property, but that is a number which is changed by Service Packs and can be more difficult to pinpoint. I’m only in need of knowing the OS type which makes it much easier to use the Caption.

WMI Query

Now that you’ve saved this new WMI filter, you can go to your Group Policy Object and on the Scope tab at the bottom you use the drop down list to apply your new WMI filter to the policy.

GPO wit Filter

For my other 2 queries, I use the same process but I want to have a Windows XP and a Windows 7 for managing my desktop pools with clearly targeted policies. For my Windows XP filter:

Select * FROM Win32_OperatingSystem WHERE (Caption LIKE “Microsoft Windows XP%”)

and for Windows 7:

Select * FROM Win32_OperatingSystem WHERE (Caption LIKE “Microsoft Windows 7%”)

It’s just that easy. Now go forth and filter!

Tags:
DiscoPosse

People, Process, and Technology. Powered by Community!

You might also like

3 Comments

  • HardcoreITguy
    February 22, 2012 at 11:42 pm

    Keep in mind, there is a performance impact to WMI filters in a GPO. Every time GP processing runs (every ~90 min) it re-evaluates the WMI query…

    • DiscoPosse
      Eric
      February 23, 2012 at 11:56 am

      Excellent point. Touche! It’s a challenge to balance the win versus the performance hit.

LEAVE A COMMENT

Proudly Sponsored By

GC On-Demand

Subscribe to the Blog

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Upcoming events:

Archives