GPO Targeting with WMI Filters

Tools (and References) of the WMI Trade

To master WMI, you have to do a lot of work. You'll have to read up on and master four crucial key pieces of WMI documentation, which are found at the following websites :

• http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnclinic/html/scripting06112002.asp ( shortened to http://tinyurl.com/lsok )

• http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnclinic/html/scripting08132002.asp (shortened to http://tinyurl.com/6berp )

• http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnclinic/html/scripting01142003.asp (shortened to http://tinyurl.com/b9nxp )

And you'll have to get the accompanying "Windows 2000 Scripting Guide" from Microsoftthe de facto (and very large-o) book on scriptingand work through all the hundreds of examples (at Amazon at http://tinyurl.com/7yypc ).

What? You don't have time for that? No problem! You can do the next best thing and "wing it." We'll use two tools to create WMI queries, and then we'll manually bend them into WMI Filters.

• WMI CIM Studio is available on Microsoft's website. At last check, it was at www.microsoft.com/downloads/release.asp?releaseid=40804 (shortened to http://tinyurl.com/8zot ).

• The WMI Scriptomatic version 1.0 tool is also available from Microsoft. At last check, it was at http://www.microsoft.com/technet/scriptcenter/tools/wmimatic.mspx (shortened to http://tinyurl.com/cmcdl ).

• And there's also available the Scriptomatic version 2.0 tool available at http://www.microsoft.com/downloads/details.aspx?FamilyID=09dfc342-648b-4119-b7eb-783bOf7dll78&DisplayLang=en (shortened to http://tinyurl.com/5wdup ).

My choice is to use one of the two Scriptomatic tools, made by my pals the "Microsoft Scripting Guys." Both versions of the Scriptomatic tool basically do the same thing. That is, they zip through all the available WMI classes and then makes them available for an easy-breezy query. In Figure 10.27, the WMI class Win32_LocalMemoryConfiguration is selected. Then, scriptomagically, all the WMI attributes in that class are exposed in a ready-to-run VBscript application. You can see them in Figure 10.27, including AvailableVirtualMemory, TotalPageFileSpace, and the one we're after, TotalPhysicalMemory. Just click the Run button and you can see the output with the values on this machine.

Figure 10.27: The Scriptomatic version 1 tool from the "Microsoft Scripting Guys"

Don't ask me why TotalPhysicalMemory is an attribute of the Win32_LogicalMemory-Configurationit just is. Actually, it turns out that you can query another variable to gather the physical memory. It's under win32_ComputerSystem , and the variable name is also TotalPhysicalMemory . Oddly, it returns a slightly different value on the same machine. Again, don't ask me why.

When you click Run, the script runs in a little prompt window. You can see that the TotalPhysicalMemory of this box is 261620, which is 256MB. The point here, however, is that the unit measurement and expected output of this field is expressed in thousands of bytes. We'll leverage this information when we bend this WMI query into a WMI filter.

WMI Filter Syntax

You can start nearly all the WMI Filters you'll create using Scriptomatic. All that's left is to wrap a little logic around the output. All the WMI Filters we'll create have the following syntax:

 SELECT * from Win32_{something} WHERE {variable}  [=,>,<,is, etc] {desired result} 

Now, all we have to do is plug in the stuff we already know, and we're off and running. In this example, we're using Win32_LogicalMemoryConfiguration . We know the variable we want is TotalPhysicalMemory , and we know that we want it to be greater than 128MB, which we can represent as > 128000. Yes, I know 128000 isn't exactly 128MB of memory, but it's close enough. Anyway, when you put it all together, you get:

 SELECT * from Win32_LogicalMemoryConfiguration WHERE TotalPhyisicalMemory > 128000 

Easy as pie. However, not all WMI Filters are this easy. Some WMI variable entries have text, and you must use quotes to specifically match what's inside the string to what's inside the WMI variable.

Creating and Using a WMI Filter

Once your WMI filter is in the correct syntax, you're ready to inject it into an existing GPO for filtering. Again, this can be any GPO you wantnot just GPOs that control GPSI. Again, we're using GPSI as an example because I think you'll get the most use of it this way. Creating and using a WMI filter is a two-step process: creating and then using. (I guess that makes sense.)

WMI Filter Creation

Before you can filter a specific GPO, you need to define the filter in Active Directory. Follow these steps:

1. Fire up the GPMC, then drill down to Forest ˜ Domain ˜ WMI Filters node.

2. Right-click over the WMI Filters node and select New as seen in Figure 10.28.

3. When you do, you'll be presented with the New WMI Filter dialog box as seen in Figure 10.29. You'll be able to type in a name and description of your new filter, as seen below. Then, click the Add button, and in the Query field, just enter in the full SELECT statement from before.

4. When done, click Save. Your query is now saved into Active Directory and can be leveraged for any GPO you want. We'll explore how to do that next.

Figure 10.28: Right-click over the WMI Filters node to create a WMI filter

Figure 10.29: Enter in a name and description, then click the Add button to enter in your WMI filter.

WMI Filter Usage

Using the GPMC, it's easy to find the GPO you want and then leverage the WMI filter you just made. Follow these steps:

1. Locate the "Deploy Office XP (to computers)" GPO you created (which should be within the Human Resources Computers OU).

2. Click the Scope tab of the GPO.

3. In the WMI Filtering section, select the WMI Filter you just created, as shown in Figure 10.30.

4. At the prompt, confirm your selection.

Figure 10.30: Choose the GPO (or GPO link) and select a WMI Filter.

Now this GPO applies to Windows XP and Windows 2003 computers with 128MB of RAM or more. Windows 2000 machines simply ignore WMI Filters, and this GPO still applies to them.

Final WMI Filter Thoughts

WMI Filters can be a bit tough to create, but they're worth it. You can filter target machines that meet specific criteriafor GPOs that leverage GPSI or any other Group Policy function. But keep two things in mind.

WMI Performance Impact WMI Filters take some percentage of performance away each and every time Group Policy processing is evaluated. That is, at every logon, at startup, and every 90 minutes thereafter, you'll take a little performance hit because WMI filters are re-evaluated. So, if you link a GPO to the domain that leveraged WMI Filters, every single Windows XP and Windows 2003 machine works hard to evaluate that WMI query. The upshot: be careful where you link GPOs with WMI queries. You could seriously affect GPO processing performance. You'll definitely want to test your WMI Filters first in the lab for performance metrics before you roll them out companywide .

WMI Filters Don't Apply to Windows 2000 Windows 2000 machines are left out of the mix. They simply ignore the WMI Filters placed on GPOs. When a Windows 2000 machine processes a GPO that leverages a WMI filter, it's as if the query always evaluates to "True." However, with a little downloadable magic, you can hack Windows 2000 machines to play in the WMI Filter game. A free, quasi-supported download, called "WMI Filtering for Windows 2000," is available at www.mml.ru/WMIF2K/ , and it can inject the necessary code to support WMI Filters. It's a little unwieldy to set up, but afterward you should be able to have a unified WMI scheme across your environment.