When you create a group policy (GPO) for users or systems, they are typically in a certain organizational unit (OU) within Active directory. For example: categorizing sales versus HR.
By default, a GPO you assign may deploy when you do not want it to if multiple OUs and GPOS are in place. For example, you may have GPOs tied to the user, to a group the user is in, and another to the system they are accessing.
Say you have a group policy that maps printers and drive shares tied to a user. You created that GPO to assist the user when they log onto workstations. That user, however, also logs onto servers. You do not want that GPO to apply when the user logs onto the server. To fix that issue, you would use WMI filtering.
To do this, design the WMI filter string to identify the systems you want to exclude. Your WMI filters only apply to the remaining systems you didn’t identify. For example, if you define only W32 Product Type “1” then it will APPLY the GPO to systems with W32 Product Type “Type “2” and “3”.
What is a Product Type? That is how the OS mode is defined:
ProductType=”1” is Client Operating system
ProductType=”2” is Domain Controllers
ProductType=”3” is Servers that are not domain controllers
WMI Win32_OperatingSystem Version Numbers:
5.1 – Windows XP (you shouldn’t have to use this one)
5.2 – Windows Server 2003
5.2.3 – Windows Server 2003 R2
6.0 – Windows Vista & Windows Server 2008
6.1 – Windows 7 & Windows Server 2008 R2
6.2 – Windows 8 & Windows Server 2012
6.3 – Windows 8.1 & Windows Server 2012 R2
For more details on this, here’s a good article.
Here is how to create the WMI filter. Open Group Policy Management and expand Forest, Domains and the domain. Right click on WMI Filters and select “New”:
Name the WMI filter, fill out the Description, then select “Add” to add your specific query as shown in the example below:
If there is an error in your query, it may pop up a warning.
Now when you edit GPOs the new WMI filter you created will display in the dropdown at the bottom of the Scope tab.
So now that you understand the concept, here’s how you test your WMI filters.
In this example, the filter excludes domain controllers and severs.
Here is a test example using PowerShell:
$query = “select * from Win32_OperatingSystem WHERE (ProductType<>’2′ AND ProductType<>’3′)”
Get-WMIObject -Query $query
If the WMI filter returns a result, then it applies the policy. If it does not return anything, then it does not apply the policy. In the example applied on my workstation, the output would look like this:
There you have it! Go ahead and give it a shot.