Step 7: Creating WMI and Group Filters
Updated: December 7, 2009
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
When the network includes client computers that run a variety of Windows operating systems, two computers in the same OU might require different settings to achieve the same configuration. For example, a computer that is running Windows XP might require a different setting than a computer that is running Windows 7 or Windows Vista. Two GPOs would be required in that case, one to apply to computers that are running Windows XP, and one to apply to computers that are running the later versions of Windows.
There are also times when you cannot rearrange the computers in your AD OU hierarchy to let you link a GPO to OUs that contain only the computers to which you want the GPO to apply. So Group Policy also supports using access control lists (ACLs) to prevent the GPO from applying to any computer or user account that is not granted permissions to the GPO.
There are two frequently used techniques used to make sure that GPOs only apply to the correct computers:
Add a Windows Management Instrumentation (WMI) filter to the GPO. A WMI filter enables you to specify criteria that must be matched before the linked GPO is applied to a computer. By letting you filter the computers to which the GPO applies, this reduces the need to further subdivide your OUs in Active Directory. This technique is dynamic, in that the filter is evaluated when the computer attempts to apply the policy. So if you are filtering based on the version of Windows then upgrading the computer from Windows XP to Windows 7 requires no changes to your GPO, because the filter will automatically recognize the change and filter the computer’s access to the GPO accordingly.
Grant or deny the Apply Policy security permission in the ACL for the GPO. If you put your computers in security groups, you can then grant the Apply Policy permission to only the groups that should use the GPO.
This guide demonstrates both techniques used together. They can also be used individually. Select the filtering types and query parameters based on the needs of your organization. Each enables you to include computers from across organizational units in the Active Directory hierarchy structure.
Important
Windows XP and Windows Server 2003 use different tools and produce different firewall and IPsec settings than the Windows Firewall with Advanced Security tool included with Windows Vista and later versions of Windows. Mixing the settings together on the same computer can cause unexpected connectivity problems that are very difficult to troubleshoot. We recommend that you use the Windows Firewall with Advanced Security snap-in for settings to create the GPOs for computers that are running Windows Vista or later versions of Windows, and use the tools provided in Windows XP or Windows Server 2003 to create the GPOs intended for those operating systems. The techniques demonstrated in this topic are effective at preventing GPOs designed for one version of Windows from applying to another.
In the next procedure, you apply and test a WMI filter that restricts a GPO to applying only to computers that are running Windows Vista or later (including Windows 7). The filter prevents the GPO from applying to any earlier version of Windows, or to a computer that is running any server version of Windows.
To create the WMI filter
On MBRSVR1, switch to Group Policy Management.
In the navigation pane, right-click WMI Filters, and then click New.
In the Name box, type Apply only to Windows Vista or Later.
Click Add.
In the Query box type:
select * from Win32_OperatingSystem where Version like "6.%" and ProductType = "1"
This query filters on both the product version number and the product type.
The Version property returns values that begin with the following characters (the % symbol is a wildcard character that represents other characters that can follow, but do not help distinguish the version number):
Windows Server 2008 R2 or Windows 7
6.1%
Windows Server 2008 or Windows Vista
6.0%
Windows Server 2003
5.2%
Windows XP
5.1%
Windows 2000
5.0%
The ProductType property returns the following values:
Client versions of Windows
1
Server versions of Windows that are operating as a domain controller
2
Server versions of Windows that are not operating as a domain controller (typically referred to as member servers)
3
Click OK, and then click Save.
Under Group Policy Objects, click Firewall Settings for Windows Clients.
Click the Scope tab, and under WMI Filtering, select your filter Apply Only to Windows Vista or Later from the list.
In the confirmation dialog box, click Yes.
The policy now only applies to computers that are running a Windows operating system reporting a version number that starts with the character "6." and that reports that it is a client version of Windows.
Leave the Group Policy Management MMC snap-in running.
In the next procedure, you deploy the policy to see that it does apply to the client computer that is running Windows 7 or Windows Vista.
To deploy and test your WMI filter
On CLIENT1, in Administrator: Command Prompt, run gpupdate /force. Wait for the command to finish.
At the command prompt, type the command gpresult /r /scope computer and confirm that the Applied Group Policy Objects section still contains Firewall Settings for Windows Clients.
Leave Administrator: Command Prompt open.
In the next several procedures, you test group filtering with security ACLs. When combined with the techniques in the previous sections, this results in a GPO that applies only to the members of a group that also meet the requirements of the WMI filter.
To create the computer group
On DC1, if the Active Directory Users and Computers snap-in is not open, open it. Click click Start, click Administrative Tools, and then click Active Directory Users and Computers.
In the navigation pane, right-click Computers, click New, and then click Group.
In Group name, type Windows Client Computers, and then click OK.
In the next procedure, you set the permissions on the GPO to grant the apply policy permission only to members of your new computer group.
To set ACL permissions on the GPO
On MBRSVR1, in Group Policy Management, expand Group Policy Objects, and then click Firewall Settings for Windows Clients.
On the Scope tab, in the Security Filtering section, click Authenticated Users, and then click Remove.
On the confirmation dialog box, click OK.
Click Add, type Windows Client Computers, and then click OK.
Your computer is not yet a member of this new group. Verify that the GPO does not apply.
To verify that the GPO no longer applies to CLIENT1
On CLIENT1, open an Administrator: Command Prompt, and then run gpupdate /force. Wait for the command to finish.
Type gpresult /r /scope computer. Examine the Applied Group Policy Objects section and verify that the only GPO listed is Default Domain Policy.
Look down several more lines under The following GPOs were not applied because they were filtered out and confirm that Firewall Settings for Windows Clients is now listed there.
If it is still open, close the Windows Firewall with Advanced Security snap-in, and then restart it.
In the navigation pane, right-click Windows Firewall with Advanced Security on Local Computer, and then click Properties.
Confirm that all the controls are enabled again because the GPO no longer applies.
Click Cancel to close the Properties page.
In the next procedure, you add the computer to the new group.
To add CLIENT1 to the group
On DC1, in the Active Directory Users and Computers snap-in, select the Computers container, and then double-click Windows Client Computers in the results pane.
Select the Members tab, and then click Add.
Click Object Types.
Clear all check boxes except Computers, and then click OK.
In the text box, type CLIENT1, and then click OK to save your changes.
Finally, you can apply the GPO to your computer to see the results.
To apply the GPO applied to the computer
On CLIENT1, restart the computer. The changes to the group membership must be refreshed in the local computer's security tokens. This occurs when the computer starts.
Log on as contoso/admin1.
Open an Administrator: Command Prompt, and run gpresult /r /scope computer.
Examine the output to confirm that the GPO is applied to your computer again.
Open the Windows Firewall with Advanced Security snap-in.
In the navigation pane, right-click Windows Firewall with Advanced Security on Local Computer, and then click Properties.
Confirm that some of the controls are disabled again because they are now controlled by Group Policy.
Click Cancel to close the Properties page.
For more information about how to use WMI filters and Group Policy, see:
HOWTO: Leverage Group Policies with WMI Filters at https://go.microsoft.com/fwlink/?linkid=93760
Windows Server Group Policy at https://go.microsoft.com/fwlink/?linkid=93542
Next topic: Step 8: Enabling Firewall Logging