Many Windows IT pros rely on Active Directory (AD) Group Policy to centrally manage the technical behavior and rights of their Windows 2000 Server and later infrastructures. Some use the default Group Policy settings to enforce password policies, lock workstations after a certain period of inactivity, and customize user desktops. Some recent applications, such as Microsoft Software Update Services (SUS) and Windows XP Service Pack 2 (SP2) Windows Firewall, include Group Policy administrative templates that further leverage this centralized policy framework.
Most IT pros are familiar with the two most common methods for applying Group Policy: directly on the container (e.g., site, domain, organizational unit—OU, local object) and indirectly through security permission restrictions. In Windows Server 2003, Microsoft added Windows Management Instrumentation (WMI) filtering capabilities to let you further hone the scope of a Group Policy Object (GPO). WMI filters let you apply a GPO to only certain members of a container, according to whether the member satisfies the criteria that the filter specifies. For example, you can use WMI filters to target a Windows Installer package to client computers that have specific hardware configurations or a minimum amount of RAM and disk space on a particular drive. To take advantage of this filtering functionality, you need to know a bit about WMI.
WMI Architecture
WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM) technology, which defines a cross-platform standard and framework for managing systems. Microsoft exposes WMI providers that permit programs to query details about a particular system. You'll likely be interested primarily in properties such as the amount of memory or manufacturer of a computer system. A WMI property (e.g., manufacturer) is associated with a WMI class (e.g., Win32_ComputerSystem). This class is a member of a namespace (e.g., root\CIMv2). To learn more about WMI, read the Windows IT Pro article "Scripting with WMI," May 2003, InstantDoc ID 38498.
If you run a Windows 2003 domain, you can use WMI Query Language (WQL) result sets to target Group Policy to specific computers. Note that only target computers that run Windows 2003 or XP support WMI filtering. Earlier systems will simply ignore the filter.
Let's look at a simple example before we delve further into WMI filtering. Let's say you want to create a GPO that automatically installs software updates on all employee workstations that run XP Professional Edition but doesn't install the updates on computers that run Windows 2003. You've organized your computers into various OUs that are based on function and location, and you don't want to reorganize them into OUs that are based on whether to apply the updates. WMI filters provide a handy solution. Here are the basic steps for using WMI filters in this situation. I discuss the details later.
1.Create a new GPO that defines how you want to apply software updates (e.g., via SUS).
2.Link this GPO at a level high enough to affect all OUs that contain computers. (Note: Never create a WMI filter on your Default Domain GPO. All computers in your domain must be able to access the Default Domain GPO without restriction.)
3.Create a WMI filter that uses WQL to query a computer's OS version. The WQL syntax will look similar to the following:
SELECT * FROM
Win32_OperatingSystem
WHERE Caption LIKE
"%Windows XP Professional%"
4.Link the WMI filter to your newly created GPO, and you're off and
running.
Be careful how you use WMI filtering. If you misconfigure WMI filtering or apply it ad hoc, your Group Policy architecture can become cumbersome, confusing, and ultimately less effective. For example, applying specific GPOs directly to OUs that contain target computers is more effective than applying several GPOs at a higher level, then using WMI filters to prevent these GPOs from running on specific computers. However, the extra level of targeting granularity that WMI filters provide can help you apply GPOs to certain classes of users or computers for which OU organization isn't practical.