WMI Filters

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

WMI Filters are a new feature in Windows Server 2003 and Windows XP. WMI Filters allow an administrator to dynamically determine the scope of GPOs based on attributes of the target computer. This provides the administrator with the potential to dramatically extend the filtering capabilities for GPOs well beyond the previously available security filtering mechanism.

A WMI filter is a separate object that can be linked to a GPO. When the GPO is applied on the target computer, the filter is evaluated on the target computer. A WMI filter consists of one or more queries that are evaluated against the WMI repository of the target computer. If the total set of queries evaluates to false, the GPO is not applied. If all queries evaluate to true, the GPO is applied. Each query is written using the WMI Query Language (WQL), which is a SQL-like language for querying the WMI repository.

Note that client support for WMI filters exists only on Windows XP and later operating systems. Windows 2000 clients will ignore any WMI filter and the GPO is always applied, regardless of the WMI filter.

Each GPO can have only one WMI filter. However, the same WMI filter can be linked to multiple GPOs. Like GPOs, WMI filters are per domain objects.

Figure 7 in the Scoping GPOs section shows a GPO scope pane with a link to the GPO for the “XP Systems” WMI filter. WMI filters are only available in domains that have the Windows Server 2003 configuration. Although none of the domain controllers need to be running Windows Server 2003, you must have run ADPrep /DomainPrep in this domain. ADPrep is a utility included on the Windows Server 2003 CD and must be run before upgrading an existing Windows 2000 domain to Windows Server 2003. If ADPrep /DomainPrep has not been run in a Windows 2000 domain, the WMI Filters node will not be present, and the GPO scope tab will not have a WMI filters section.

The user can create new WMI filters from the WMI Filters container in the GPMC console. Right-clicking either the WMI Filters container or the Contents pane for this node allows the user to create a new WMI filter or to import a filter that was previously exported. Selecting New will present the user with the dialog box in Figure 22.

e76946b9-4a79-4c2f-ae33-0610138a3905

Figure 22

The user enters a name for the WMI filter, an optional description, and then one or more WQL queries using the Add button. Note that for each query, you must specify the WMI namespace where the query is to be executed. The default namespace is root\CIMv2, which should be appropriate for most scenarios. When the user presses the Save button, the query syntax is checked before the WMI filter can be saved.

There are three methods for linking a WMI filter to a GPO:

  1. On the Scope tab of the GPO, use the WMI filtering dropdown to select a WMI filter to link to the GPO.

  2. On the General tab of a WMI filter, right-click the GPOs that use this WMI Filter section and select Add (shown below in Figure 23). Selecting Add will present the user with a list of GPOs in the domain to which the user can link the WMI filter. You can only link to one GPO at a time from this pane.

  3. Using drag and drop, drag a WMI filter onto a GPO.

640508b6-abd3-45cf-ac3e-70b26c58cde7

Figure 23

There is no option to link to a GPO in another domain because WMI filters can not be linked to GPOs in a different domain. Note that the ability to link a WMI filter to a GPO requires edit access to the GPO, as the link to the WMI filter is an attribute of the GPO.

The General tab on the WMI filter pane allows the user to edit a WMI filter. If the user does not have write access to the WMI filter, the Edit Filter button is grayed out. The user can modify the WMI Filter name, description, and the WMI query from this dialog box.