General GP Concepts
.. GPMC
.. Create/Edit GPOs
.. Targeting GPOs
.. Applying GPOs
.. Developer Issues
Extensions
.. Admin Templates
.... Windows Firewall
.... Internet Explorer
.. Security Policy
.. Software Installation
.. IE Maintenance
.. Scripts
Policy Exceptions
.. Loopback
.. Enforce/Block
.. Slow Links
.. WMI Filters
Reference
.. Third Party Products
.. KB Articles
.. Community
WMI Filters |
Purpose: WMI Filters are a way to fine tune the application of GPOs. Evaluated at the time of a Group Policy refresh at the client, a WMI Filter includes one or more WMI Query Language (WQL) queries. If any of these queries return a result (essentially meaning they evaluate to True) then the WMI filter is considered to evaluate to True and the GPO to which it is linked is applied. If the WQL queries do not return anything in the result set then the GPO is not applied
Platforms: WMI Filters are supported on Windows XP and Windows Server 2003. Since they are not supported on Windows 2000, any WMI Filter associated with a GPO is ignored on this platform and the GPO is applied.
When To Use (And Not Use) WMI Filters: WMI filters are best used as an "exception" mechanism where a GPO is to be applied for a well-defined period of time. An example might be during an upgrade of hardware - perhaps the new hardware supports a feature that can be used in a GPO. By linking a WMI filter to the GPO it can be applied only to those machines that have the new hardware. When all targeted machines have been upgraded then the WMI Filter can be removed safe in the knowledge that all machines are able to respect the GPO. Keep in mind that the WMI filter is evaluated each and every time a Group Policy refresh occurs at the client and that this has some cost in terms of performance. And on domain controllers this takes place every 5 minutes by default!
Tools: WMI Filters are cool but the WQL language isn't the most "accessible" in the world. And all those objects.... Here are two resources to help build WMI Filters.
- Scriptomatic. A great little utility for creating WQL queries (which can be cut and paste into a WMI Filter). Select from high level objects (computer, OS, etc) and this tool will present a list of available counters. Select the counters you want and you'll have your WMI query. Read about the tool here and download here.
- Windows 2000 Scripting Guide. Despite the Windows 2000 focus, this has strong relevance to the WMI Filters (which, ironically, are not available on Windows 2000 but can be used on Windows XP and Windows Server 2003). See the WMI Primer in this guide. This documentation is also available in hard copy.
You can also use the WMI Object Browser that is part of the WMI Tools download. The Object Browser lets you browse the WMI classes and properties on a given system and can help you locate a property of interest for including in your filter.
Syntax: WMI filters are composed of two parts. In the first part, you specify the portion of the WMI namespace you wish to query within. Typically this is root\CIMV2 for most queries that you will encounter. The second part is the actual WQL query statement. If you are familiar with the SQL language then a WQL query will look very familiar. It typically takes the form of:
Select * FROM <WMI_CLASS> WHERE <WMI Property>=<value>
For example, if I wanted to create a WMI filter that would only allow Windows XP systems with SP2 installed to process a GPO, I might create a WQL query like this:
Select * FROM Win32_OperatingSystem WHERE Caption="Microsoft Windows XP Professional" AND CSDVersion="Service Pack 2"
In this case, I'm querying all instances of the Win32_OperatingSystem WMI Class (usually a system has only one so that's pretty easy!) where the Caption property on that class indicates XP and the CSDVersion property indicates SP2.
To use wildcards with a property use the LIKE operator instead of the "=" operator in the WHERE clause.
For example:
Select * from Win32_OperatingSystem Where (Caption Like "%Win%")
You can quickly test your query using WMIC, which is available on all XP/2003/Vista installs by default:
wmic path win32_operatingsystem WHERE (Caption like "%Win%") get Caption
More information on using the LIKE operator is on MSDN.
Using WMI filters with Registry values: It is sometimes desirably to apply GPOs only when a Registry value contains, or not contains, a specific value. The problem is that the Registry provider by default only supports methods, not properties, but there is a, somewhat cumbersome, way around this that makes it possible to create a WMI filter that queries the Registry.
The Registry WMI provider can actually support instance properties, a requirement for WMI filters, if you tell it to, but it requires some work and in many cases it is not worth the effort. The steps to do it can be summarized as follows:
1. Create a MOF (text) file that defines the keys and values that should be accessible.
2. Run Mofcomp.exe on EACH computer to add the values from the MOF file into the WMI Repository. The syntax is: "mofcomp -class:forceupdate <path to MOF file>"
3. Create your WMI filter using your preferred GP admin tool.
The problem here is of course to execute mofcomp on the computers, but this could be run from the Startup script, or something like that, since administrative permissions are required. Although some sort of flag should be used so that it is not run each time the computers boot, only when the MOF files has been changed.
Since MOF files isn't very easy to explain, especially for dynamic WMI providers such as the Registry Provider, below is an generic example that can be modified by changing paths and values or adding new paths just copy the text into a text file and make sure that no extra line breaks has been added. Observe that the MOF file below only support String registry values.
///////////////////////////////////////////////////////////////////////
// MOF File that makes it possible to query for build number and registered owner with GP WMI filter.
///////////////////////////////////////////////////////////////////////
#pragma namespace ("\\\\.\\Root\\cimv2")
[DYNPROPS]
class WindowsInfo
{
[key]string Keyname="";
string BuildNumber;
string Organization;
};
[DYNPROPS]
instance of WindowsInfo
{
KeyName="BuildInfo";
[PropertyContext("local|HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion|CurrentBuildNumber"), Dynamic, Provider("RegPropProv")] BuildNumber;
[PropertyContext("local|HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion|RegisteredOrganization"),Dynamic, Provider("RegPropProv")] Organization; };
//////////////////////////////////////////////////////////////////////////////
After the MOF file has been compiled on the client machines, a WMI filter can be used that looks like this in the root\cimv2 namespace:
SELECT * FROM WindowsInfo WHERE BuildNumber="2600" AND Organization="My Organization"
This will match all the computers with build number 2600 (XP) registered to "My Organization" by reading from the Registry keys and not the "normal" OS WMI classes.
Again the problem is to compile the MOF file on all computers to enable WMI to access the Registry keys as properties, but after that everything works as expected.
Comments:
From ldardennes - 11/7/06 12:26 PM
From dunn_254 [164.107.68.188] - 8/7/06 2:16 PM
I'm trying to write a WMI filter where if the computer object resides in a particular OU the policy applies but if it is not in that container then the gpo doesn't apply.
For Example, User is a student who has a job working for the college. Student logs into the computer lab then the GPO locking down the system applies. Student logs into office computer (job) GPO doesn't apply.
Any suggestions? I've tried:
select*from SMS_R_ComputerGroup where ActiveDirectoryOrganizationalUnit = "ad.edu/Student OU"
Thanks
From Craig - 7/5/06 3:02 PM
Note that if you want to use wildcards to specify a property, you need to use the LIKE operator instead of the EQUALS operator in the WHERE clause.
So this would work:
Select * from Win32_OperatingSystem Where (Caption Like "%Win%")
You can test it out with WMIC, which is available on all XP/2003 installs:
wmic path win32_operatingsystem WHERE (Caption like "%Win%") get caption
The use of LIKE is documented in the WQL pages of MSDN:
http://msdn.microsoft.com/library/en-us/wmisdk/wmi/like_operator.asp
From jdmcd - 5/17/06 7:54 PM
I am trying to apply a group policy if the machine does not have Office 2003 installed. I can filter Office 2003 machines iIN with the following.
"SELECT * FROM Win32_Product WHERE Caption ='Microsoft Office Professional Edition 2003'"
but the following doesn't work because it returns a collection of all applications, and if anything is installed it evaluates to true.
"SELECT * FROM Win32_Product WHERE Caption <> 'Microsoft Office Professional Edition 2003'"
Is there a way to do this?
From Bob [155.247.219.11] - 3/24/06 12:41 PM
From JJ [168.68.1.127] - 3/13/06 1:35 PM
By default in WinXP the registry provider is disabled. Add these lines to the beginning of your MOF file to enable it. Without it your registry WMI query will fail:
///////////////////////////////////////////////////////////
// MOF File to enable the registry provider in WinXP.
///////////////////////////////////////////////////////////
#pragma namespace ("\\\\.\\root\\cimv2")
instance of __Win32Provider as $PropProv
{
Name="RegPropProv";
Clsid="{72967901-68EC-11d0-B729-00AA0062CBB7}";
};
instance of __PropertyProviderRegistration
{
Provider=$PropProv;
SupportsPut = TRUE;
SupportsGet = TRUE;
};
/////////////////////////////////////////////////
From andyp - 1/21/06 11:50 AM
Select * from Win32_ComputerSystem where UserName = "domain\Administrator"
Syntax fails when saving the filter. The \ is the problem. Any way aroud this?
From Exclude using WMI Filters... [69.54.44.187] - 12/9/05 12:41 PM
The comment I just made stripped out my angle brackets...
There should be a 'not equal' (left angle bracket[Shift + ,], right angle bracket[Shift + .]) operator between the parameters and the values:
CSName (does not equal) "ComputerA"
If you don't understand angle brackets, you could alternatively use !=
See http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/wql_operators.asp
From Exclude objects via WMI Filter... [69.54.44.187] - 12/9/05 12:38 PM
Try using:
Select * From Win32_OperatingSystem Where CSName "ComputerNameA" And CSName "ComputerNameB"
etc...
From SebastianP - 11/30/05 7:50 PM
Does anyone know whether it is possible to use a WMI filter query to return true if the user logging on is a member of a particular domain?
I can use WMI to associate a specific user with the groups, but can't see a way to use it in WMI filter. Specifically do WMI filter support predefined variables like the username of the user for which the policy is being evaluated.
From senthilp2005 - 8/26/05 7:33 AM
m_lind, the short answer is no.
The implementation of WMI Filters does not have a NOT operator, meaning, it doesn't evaluate to TRUE if there are no rows returned. This coupled with the WQL shortcomings (maybe a complicated sub-query might return a TRUE for no rows, but WQL doesn't support sub-queries), you cannot achieve what you're trying to do.
From m_lind [134.217.237.30] - 8/24/05 5:07 PM
Is there any way to use a WMI filter and retrieve a TRUE (the GPO will be applied) if a specific System Variable IS NOT on the computer? To exclude special PCs it is easier to set a System Variable on these machines rather than to touch a few thousands.
Thanks a lot for any help.
From lummy [128.32.226.97] - 2/16/05 6:59 PM
Half empty, half full
Last Modified 7/6/06 1:35 AM
I am trying to apply a group policy if the machine does not have Office 2003 installed. I can filter Office 2003 machines iIN with the following.
"SELECT * FROM Win32_Product WHERE Caption ='Microsoft Office Professional Edition 2003'"
but the following doesn't work because it returns a collection of all applications, and if anything is installed it evaluates to true.
"SELECT * FROM Win32_Product WHERE Caption <> 'Microsoft Office Professional Edition 2003'"
Is there a way to do this?
Thank you very much in advance