Recipe 9.16 Applying a WMI Filter to a GPO

WMI filters can be configured only on a Windows Server 2003 domain controller, and they will apply only to Windows Server 2003- and Windows XP-based clients.

9.16.1 Problem

You want to apply a WMI filter to a GPO.

9.16.2 Solution

9.16.2.1 Using a graphical user interface

9.16.2.2 Using VBScript

' This code links an existing WMI filter with a GPO ' ------ SCRIPT CONFIGURATION ------ strGPO         = "<GPOName>"        ' e.g. Sales GPO strDomain      = "<DomainDNSName>"  ' e.g. rallencorp.com ' e.g. {D715559A-7965-45A6-864D-AEBDD9934415} strWMIFilterID = "<WMIFilterID>"  ' ------ END CONFIGURATION --------- set objGPM = CreateObject("GPMgmt.GPM") set objGPMConstants = objGPM.GetConstants( )    ' Initialize the Domain object set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC) ' Find the GPO set objGPMSearchCriteria = objGPM.CreateSearchCriteria objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _                          objGPMConstants.SearchOpEquals, _                          cstr(strGPO) set objGPOList = objGPMDomain.SearchGPOs(objGPMSearchCriteria) if objGPOList.Count = 0 then    WScript.Echo "Did not find GPO: " & strGPO    WScript.Echo "Exiting."    WScript.Quit elseif objGPOList.Count > 1 then    WScript.Echo "Found more than one matching GPO. Count: " & _                 objGPOList.Count    WScript.Echo "Exiting."    WScript.Quit else    WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName end if on error resume next ' Retrieve the WMI filter strWMIFilter = "MSFT_SomFilter.Domain=""" & _                 strDomain & """,ID=""" & _                 strWMIFilterID & """" set objWMIFilter = objGPMDomain.GetWMIFilter(strWMIFilter) if Err.Number <> 0 then    WScript.Echo "Did not find WMI Filter: " & strWMIFilterID    WScript.Echo "Exiting."    WScript.Quit else    WScript.Echo "Found WMI Filter: " & objWMIFilter.Name end if ' Link the filter and print the result objGPOList.Item(1).SetWMIFilter(objWMIFilter) if Err.Number <> 0 then    WScript.Echo "Failed to set WMI filter."    WScript.Echo "Error: " & err.description else            WScript.Echo "Set WMI filter successfully." end if

9.16.3 Discussion

You can link only one WMI filter to a GPO. This is not necessarily a limitation because you can still link more than one GPO to a site, domain, or OU. If you need multiple WMI filters to apply to a GPO, copy the GPO and apply a new WMI filter to it. See Recipe 9.15 for more information on WMI filters.

9.16.3.1 Using VBScript

I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section. I use an if elseif else conditional statement to ensure that only one GPO is returned. If none or more than one are returned, I abort the script. If only one GPO is returned, I call GPMDomain.GetWMIFilter to instantiate a GPMWMIFilter object based on the WMI filter GUID specified in the configuration section. If you need to programmatically search for the WMI filter ID, you can use the GPMDomain.SearchWMIFilters method. After I retrieve the GPMWMIFilter object, I call the GPMGPO.SetWMIFilter method to set the filter for the GPO.

9.16.4 See Also

MSDN: GPMDomain.GetWMIFilter and MSDN: GPMGPO.SetWMIFilter