WMI filtering using GPMC
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
WMI filtering
Windows Management Instrumentation (WMI) filters allow you to dynamically determine the scope of Group Policy objects (GPOs) based on attributes of the target computer.
When a GPO that is linked to a WMI filter is applied on the target computer, the filter is evaluated on the target computer. If the WMI filter evaluates to false, the GPO is not applied (except if the client computer is running Windows 2000, in which case the filter is ignored and the GPO is always applied). If the WMI filter evaluates to true, the GPO is applied.
WMI makes data about a target computer available for administrative use. Such data can include hardware and software inventory, settings, and configuration information. For example, WMI exposes hardware configuration data such as CPU, memory, disk space, and manufacturer, as well as software configuration data from the registry, drivers, file system, Active Directory, the Windows Installer service, networking configuration, and application data.
A WMI filter consists of one or more queries based on this data. If all queries are true, the GPO linked to the filter will be applied. The queries are written using the WMI Query Language (WQL), a SQL-like language. Queries can be combined with AND and OR logical operators to achieve whatever effect the administrator wants. Each query is executed against a particular WMI namespace. When you create a query, you must specify the namespace. The default is root\CIMv2, which is appropriate for most WMI queries.
The WMI filter is a separate object from the GPO in the directory. To apply a WMI filter to a GPO, you link the filter to the GPO. This is shown in the WMI filtering section on the Scope tab of a GPO. Each GPO can have only one WMI filter, however the same WMI filter can be linked to multiple GPOs.
WMI filters, like GPOs, are stored on a per-domain basis. A WMI filter and the GPO it is linked to must be in the same domain.
Notes
Client support for WMI filters exists only on Windows XP, Windows Server 2003, and later operating systems. Windows 2000 clients will ignore any WMI filter and the GPO is always applied, regardless of the WMI filter.
WMI filters are only available in domains that have at least one Windows Server 2003 domain controller. In an environment consisting only of Windows 2000 domains, the WMI filter node in Group Policy Management Console (GPMC) is not shown.
Using WMI filters with GPMC
Using GPMC, you can create and delete WMI filters, link and unlink WMI filters, copy and paste WMI filters, import and export WMI filters, and view and edit attributes of WMI filters.
Sample code
The following table shows sample code for several WMI filters.
Criterion | Administrator's intent | WMI filter |
---|---|---|
Configuration |
Avoid turning on netmon on computers that can have multicasting turned on. |
|
Time zone |
Apply policy on all servers located on the East Coast of the United States. |
|
Hotfix |
Apply a policy on computers that have a specific hotfix. |
|
Software inventory |
Assign software only on computers already having either of two software packages. |
|
Operating system |
Only target computers running Windows XP Professional. |
|
Resources |
Target only machines that have at least 600 megabytes (MB) available. |
|
Make or model |
Target Toshiba Tecra models 800 and 810. |
|
See Also
Concepts
Managing inheritance of Group Policy
Security filtering using GPMC
Create, import, export, copy, and paste WMI filters