How to Use WMI Filtering: Just the Basics

two individuals working on a laptop and with a magnifying glass on a desktop monitor displaying three user icons being funneled into one user.

Aug 8, 2019 by Kevin Oppihle

When you create a group policy (GPO) for users or systems, they are typically in a certain organizational unit (OU) within Active directory. For example: categorizing sales versus HR.

By default, a GPO you assign may deploy when you do not want it to if multiple OUs and GPOS are in place. For example, you may have GPOs tied to the user, to a group the user is in, and another to the system they are accessing.

Say you have a group policy that maps printers and drive shares tied to a user. You created that GPO to assist the user when they log onto workstations. That user, however, also logs onto servers. You do not want that GPO to apply when the user logs onto the server. To fix that issue, you would use WMI filtering.

To do this, design the WMI filter string to identify the systems you want to exclude. Your WMI filters only apply to the remaining systems you didn’t identify. For example, if you define only W32 Product Type “1” then it will APPLY the GPO to systems with W32 Product Type “Type “2” and “3”.

What is a Product Type? That is how the OS mode is defined:

ProductType=”1” is Client Operating system

ProductType=”2” is Domain Controllers

ProductType=”3” is Servers that are not domain controllers

 

WMI Win32_OperatingSystem Version Numbers:

5.1 – Windows XP (you shouldn’t have to use this one)

5.2 – Windows Server 2003

5.2.3 – Windows Server 2003 R2

6.0 – Windows Vista & Windows Server 2008

6.1 – Windows 7 & Windows Server 2008 R2

6.2 – Windows 8 & Windows Server 2012

6.3 – Windows 8.1 & Windows Server 2012 R2

 

For more details on this, here’s a good article.

Here is how to create the WMI filter. Open Group Policy Management and expand Forest, Domains and the domain. Right click on WMI Filters and select “New”:

WMI filteringName the WMI filter, fill out the Description, then select “Add” to add your specific query as shown in the example below:

WMI filteringAnd Save:

WMI filteringIf there is an error in your query, it may pop up a warning.

Now when you edit GPOs the new WMI filter you created will display in the dropdown at the bottom of the Scope tab.

WMI filteringSo now that you understand the concept, here’s how you test your WMI filters.

In this example, the filter excludes domain controllers and severs.

Here is a test example using PowerShell:

$query = “select * from Win32_OperatingSystem WHERE (ProductType<>’2′ AND ProductType<>’3′)”

Get-WMIObject -Query $query

If the WMI filter returns a result, then it applies the policy. If it does not return anything, then it does not apply the policy. In the example applied on my workstation, the output would look like this:

WMI filteringThere you have it! Go ahead and give it a shot.

If you have more questions about how to utilize WMI or your GPOs, we’re here to help you. Send us an email or give us a call at 502-240-0404!

Press enter to search