Delegate creation of WMI filters using GPMC
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
To delegate creation of WMI filters
Open Group Policy Management.
In the console tree, click WMI Filters in the forest and domain in which you want to delegate management permissions for all WMI filters.
Where?
Forest name/Domains/Domain name/WMI Filters
In the results pane, click the Delegation tab, and then do one of the following:
To add a new group or user with management permissions on all WMI filters
To change the permission levels on all WMI filters for a group or user
To remove a group or user from the permissions list for all WMI filters
To add a new group or user with management permissions on all WMI filters
Click Add.
In the Select Users, Computers, or Groups dialog box, click Object Types, select the types of objects to which you want to delegate permissions on all WMI filters, and then click OK.
Click Locations, select either Entire Directory or the domain or organizational unit containing the object to which you want to delegate permissions, and then click OK.
In the Enter the object name to select box, enter name of the object to which you want to delegate permissions by doing one of the following:
If you know the name, type it, and then click OK.
To search for the name, click Advanced, enter the search criteria, click Find Now, select the name in the list box, click OK, and then click OK.
In the Add Group or User dialog box, select the permissions level you want to assign to the group or user, and then click OK.
To change the permission levels on all WMI filters for a group or user
- In the list box, right-click the name of the group or user, and then click Creator Owner or Full Control to specify the permissions level you want to assign to the group or user.
To remove a group or user from the permissions list for all WMI filters
- In the Groups and users list box, select the name of the group or user to have permissions on all WMI filters removed, and then click Remove.
- or -
If the group or user is a member of another group with these permissions, double-click the group it belongs to. In the property dialog box that appears, click the group or user you want to remove, and then click Remove.
When prompted to confirm the removal of the delegation privilege, click OK.
Notes
You must be a domain administrator or Enterprise Administrator to delegate permissions on all WMI filters in a domain.
Users with Full control permissions can create and control all WMI filters in the domain, including WMI filters created by others. Users with Creator owner permissions can create WMI filters, but can only control WMI filters that they create.
If you remove Group Policy Creator Owners from the permissions list, users who create Group Policy objects (GPOs) can no longer create WMI filters unless they are explicitly given that permission through membership in another group.
All users must have Read access to all WMI filters. Otherwise, Group Policy stops processing when it encounters a WMI filter that cannot be read. You cannot use Group Policy Management to remove Read permissions from WMI filters.
WMI Filters is only available if at least one domain controller in the domain is running Windows Server 2003. The same is true for WMI Filtering on the Scope tab for GPOs.
Information about functional differences
- Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.
See Also
Concepts
Delegation and policy-related permissions
WMI filtering using GPMC
Delegate an individual WMI filter using GPMC
Delegate creation of Group Policy objects using GPMC
Delegate an individual Group Policy object using GPMC
Delegate policy-related permissions on a domain, OU, or site using GPMC
Start Group Policy Management Console