Have you ever wanted to separate your Active Directory Group Policies from each other based on criteria such as target operating system? Well you are in luck! With some very simple WMI filters you can do exactly that.
Using WMI filters is a simple, and flexible way to create specific target criteria for delivering policies. For my situation, I’d like to be able to create 3 specific policies so that I can ensure that there is no contamination of machines with the incorrect configuration.
We could achieve this using OU structure and manually moving around computer objects, but I would much rather be able to let the system do the heavy lifting and guarantee that I do not have any accidental policy delivery, or worse that no policies get deployed at all to the machines.
From a Domain Controller, or from a workstation running the Remote Server Administration Tools (RSAT), launch the Group Policy Management Console (Start | Administrative Tools | Group Policy Management) or by running GPMC.MSC from the Run command.
Expand the Forest and Domain until you will see the WMI Filters folder towards the bottom of the list. Right click the WMI Filters folder and select New… to create a new filter.
The first policy we will create is one for Windows Server 2008. I do not need to differentiate between editions (Standard, Enterprise, Web) or chip architecture (x86 or x64) so my filter query will be for any version of Windows Server 2008.
The WMI property we are looking at for this is Caption from the Win32_OperatingSystem. You can look at yours using this simple PowerShell process:
$wmi = gwmi Win32_OperatingSystem
$wmi.Caption
Let’s use the name Windows Server 2008 (all editions) for the name and description field of the new WMI Query
Now click on the Add button which brings up the query window. Leave the Namespace as root\CIMv2 and then under the query section type this:
Select * FROM Win32_OperatingSystem WHERE (Caption LIKE “Microsoft Windows Server 2008%”)
The by appending the % to the LIKE query it means that anything found after the 2008 in the Caption will be accepted. You can also use the Version property, but that is a number which is changed by Service Packs and can be more difficult to pinpoint. I’m only in need of knowing the OS type which makes it much easier to use the Caption.
Now that you’ve saved this new WMI filter, you can go to your Group Policy Object and on the Scope tab at the bottom you use the drop down list to apply your new WMI filter to the policy.
For my other 2 queries, I use the same process but I want to have a Windows XP and a Windows 7 for managing my desktop pools with clearly targeted policies. For my Windows XP filter:
Select * FROM Win32_OperatingSystem WHERE (Caption LIKE “Microsoft Windows XP%”)
and for Windows 7:
Select * FROM Win32_OperatingSystem WHERE (Caption LIKE “Microsoft Windows 7%”)
It’s just that easy. Now go forth and filter!
Keep in mind, there is a performance impact to WMI filters in a GPO. Every time GP processing runs (every ~90 min) it re-evaluates the WMI query…
Excellent point. Touche! It’s a challenge to balance the win versus the performance hit.
[...] a previous article about WMI filters for Group Policy, I identified simple filters to make sure that GPOs will only apply to machines running a specific [...]