Introduction to WMI Filters for GPMC
WMI Filters are the icing on the Group Policy cake; they add precision to where you apply the settings. The secret of WMI filters is understanding the correct WQL syntax to phrase your query. With WMI filters you can play ‘what if’ games, for example, if Hotfix Q123 has already been installed then assign Program ABC.
Topics for WMI Filters for GPMC
- Scenario – Why would GPMC need a WMI Filter?
- WMI Script Test-bed
- Example 1 – Free disk space
- Example 2 – Select only File Systems that are NTFS
- How to Apply WMI Filters with Group Policy
- WMI and PowerShell
- Summary of WMI Filters
The phrase ‘horses for courses’ neatly describes the sentiment behind WMI filters. When you apply Group Policies, particularly those in the machine section, one type of computer often needs different settings from another. For example, servers require different restrictions compared with desktops. Even Domain Controllers and Member Servers benefit from filtering Group Policies. One of my most useful WMI filters checks for free disk space and only assigns software if free space is greater than my threshold.
More Ideas for your WMI Filter
- Assigning Software only if the Machine is up to specification.
- Installing Packages only if it already has a hot fix.
- Machines that have Multicast IP addresses.
- Checking for Registry Settings before performing additional configuration.
My goal for the test-bed is to investigate suitable filter criteria, then transform the findings into WMI filters. Let me explain about my test-bed idea, the actual WMI Filters are only one-liners for example,
("Select * from Win32_LogicalDisk where FreeSpace > 10000").
The key question is how did you do that? How did I know that the above syntax is correct? There are two answers, copy and paste someone else’s script, or derive the code your self. It is for the later solution that I developed the test-bed.
As a vehicle for our testing, I have selected the Win32_LogicalDisk object. This VBScript has two jobs, firstly to display data from a real system and secondly to act as a test-bed for a variety of WQL queries.
‘ Sample VBScript to display logical disk information
‘ Author Guy Thomas https://computerperformance.co.uk/
‘ Version 2.6 – November 2010
Dim objWMIService, objItem, colItems, strComputer
strComputer = "."
‘ On Error Resume Next
‘ WMI Section to connect to CIM2 library
Set objWMIService = GetObject("winmgmts:\\" _
& strComputer & "\root\cimv2")
Set colItems = objWMIService.ExecQuery _
("Select * from Win32_LogicalDisk")
‘ Loop to enumerate LogicalDisk properties
For Each objItem in colItems
"SystemName: " & objItem.SystemName & vbCr & _
"===============================" & vbCr & _
"Name: " & vbTab & objItem.Name & vbCr & _
"Caption: " & vbTab & objItem.Caption & vbCr & _
"DeviceID: " & objItem.DeviceID & vbCr & _
"VolumeName: " & objItem.VolumeName & vbCr & _
"DriveType: " & objItem.DriveType & vbCr & _
"Description: " & objItem.Description & vbCr & _
"FileSystem: " & objItem.FileSystem & vbCr & _
"FreeSpace: "& vbTab & objItem.FreeSpace & vbCr & _
"Size: " & vbTab & vbTab & objItem.Size & vbCr & _
‘ End of Sample LogicalDisk VBScript
1) Observe how the middle section of the script connects to the Win32_LogicalDisk object in the CIMv2 library.
Set objWMIService = GetObject("winmgmts:\\" _& strComputer & "\root\cimv2")
2) VBScript provides the For Each ..In.. Next loop to cycle through the disk properties. Actually, there are at least another dozen LogicalDisk properties, but I sifted out the most useful properties bearing in mind that our objective is to create a WMI filter for a Group Policy.
Windows Management Instrumentation (WMI) is one of the hidden treasures of Microsoft’s operating systems. Fortunately, SolarWinds have created a Free WMI Monitor so that you can discover these gems of performance information, and thus improve your scripts.
Take the guess work out of which WMI counters to use when scripting the operating system, Active Directory or Exchange Server. Give this WMI monitor a try – it’s free.
The main danger with WMI Filter is over-think. The antidote to doing more than is necessary, is the realization that in the context of a WMI Filter, Windows Server provides the VBScript code. All that we need to create is a WQL scriplet, Group Policy and the operating will handle the ‘wrapper’ code. At the core of each WMI filter lies a WQL query such as: Select * from Win32_Class.
Even with these ultra short scripts, the best strategy is to build the code in a series of steps. In the case of the WMI filter this means starting with the Select verb, choosing the Win32_Object, and last, but not least adding the Where clause.
For our first example, I have chosen Win32_LogicalDisk as opposed to Win32_Processor, Win32_OperatingSystem or about 20 other classes that you may need in the future. Remember that the average network manager will not be expert in VBScript, Microsoft know this and provide the VBScript, we just need the pure WMI snippet.
("Select * from Win32_LogicalDisk")
The WQL clause meaning, ‘filter this property that I am going to give you is’ – Where. For example,
("Select * from Win32_LogicalDisk where FreeSpace > 10000")
Tutorial Learning Points
1) Sometimes simple phrases have a beauty all of their own. Yet, often simple phrases hide all the hard work, what you do not see is all the experiments that did not work and all the extra code that you don’t need. Perhaps the best way to re-enforce this theme is to point what NOT to put in the WQL clause.
2) ("Select * from Win32_LogicalDisk where objItem.FreeSpace > 10000"). No need for objItem, just the pure property name. As with all scripting learn to apply the punctuation correctly.
The key WQL clause is where FileSystem = ‘NTFS’")
("Select * from Win32_LogicalDisk where FileSystem = ‘NTFS’")
Tutorial Learning Points
1) In truth, text filters are harder than numeric filters. The greatest problems are with the speech marks.
("Select * from Win32_LogicalDisk where FileSystem = ‘NTFS’"). Again looks easy, but here are some mistakes. Where FileSystem = ‘ NTFS ‘". It is outrageous that blank spaces should cause problems – but they do.
2) Here is another error, note the wrong type of speech marks. where FileSystem = "NTFS"". The spacing is correct but NTFS should be bracketed by a pair of single speech marks, the double quotes draws an error message.
SolarWinds’ Config Generator is a free tool, which puts you in charge of controlling changes to network routers and other SNMP devices. Boost your network performance by activating network device features you’ve already paid for.
Guy says that for newbies the biggest benefit of this free tool is that it will provide the impetus for you to learn more about configuring the SNMP service with its ‘Traps’ and ‘Communities’. Try Config Generator now – it’s free!
Once you have created your WMI filters, then it is over to Active Directory, so launch the GPMC and add the WMI filter to the Group Policy. (You cannot do it the other way around, I have not found a way of adding a Group Policy to a WMI filter).
Here is a screenshot of the GPMC interface. Note where the WMI Filter called ‘Machine Type’ is added and then applied.
Creating WMI Filters for Group Policies is a multi-skilled task. Not only do you need to be able to navigate around the Windows Server GPMC, but also you need WMI scripting knowledge.
WMI Filters are just one part of your Windows Server Group Policy toolkit. You could also consider the tactic of moving Servers and Laptops to separate OUs and then applying different policies to each OU. Remember that Windows 2000 machines do not understand WMI filters, so the policy will always be applied ‘ ready or not ‘. By that I mean that Windows 2000 professional computers get the policy irrespective of the WMI filter. As for Windows 98 machines, Group Policies don’t apply to them anyway.