Create WMI Filters for the GPO

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

To make sure that each GPO associated with a group can only be applied to computers running the correct version of Windows, use the Group Policy Management MMC snap-in to create and assign WMI filters to the GPO. Although you can create a separate membership group for each GPO, you would then have to manage the memberships of the different groups. Instead, use only a single membership group, and let WMI filters automatically ensure the correct GPO is applied to each computer.

  • To create a WMI filter that queries for a specified version of Windows

  • To link a WMI filter to a GPO

Administrative credentials

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.

First, create the WMI filter and configure it to look for a specified version (or versions) of the Windows operating system.

To create a WMI filter that queries for a specified version of Windows

  1. On a computer that has the Group Policy Management feature installed, click Start, click Administrative Tools, and then click Group Policy Management.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. In the navigation pane, expand Forest: YourForestName, expand Domains, expand YourDomainName, and then click WMI Filters.

  4. Click Action, and then click New.

  5. In the Name text box, type the name of the WMI filter.

Note

Be sure to use a name that clearly indicates the purpose of the filter. Check to see if your organization has a naming convention.

  1. In the Description text box, type a description for the WMI filter. For example, if the filter excludes domain controllers, you might consider stating that in the description.

  2. Click Add.

  3. Leave the Namespace value set to root\CIMv2.

  4. In the Query text box, type:

    select * from Win32_OperatingSystem where Version like "6.%"
    

    This query will return true for computers running Windows 7, Windows Vista, Windows Server 2008, and Windows Server 2008 R2. To set a filter for just Windows 7 and Windows Server 2008 R2, use "6.1%". To set a filter for Windows Server 2003, use "5.2%". For Windows XP, use "5.1%". For Windows 2000, use "5.0%". To specify multiple versions, combine them with or, as shown in the following:

    ... where Version like "6.0%" or Version like "5.2%"
    

    The following query returns true for any computer running Windows 2000, Windows XP, or Windows Server 2003, and false for any other version of Windows.

    ... where Version like "5.%"
    

    To restrict the query to only clients or only servers, add a clause that includes the ProductType parameter. To filter for client operating systems only, such as Windows 7 or Windows Vista, use only ProductType="1". For server operating systems that are not domain controllers, use ProductType="3". For domain controllers only, use ProductType="2". This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network.

    The following clause returns true for all computers that are not domain controllers:

    ... where ProductType="1" or ProductType="3"
    

    The following complete query returns true for all computers running Windows Vista, and returns false for any server operating system or any other client operating system.

    select * from Win32_OperatingSystem where Version like "6.0%" and ProductType="1"
    

    The following query returns true for any computer running Windows Server 2003, except domain controllers:

    select * from Win32_OperatingSystem where Version like "5.2%" and ProductType="3"
    
  5. Click OK to save the query to the filter.

  6. Click Save to save your completed filter.

After you have created a filter with the correct query, link the filter to the GPO. Filters can be reused with many GPOs simultaneously; you do not have to create a new one for each GPO if an existing one meets your needs.

  1. On a computer that has the Group Policy Management feature installed, click Start, click Administrative Tools, and then click Group Policy Management.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. In the navigation pane, find and then click the GPO that you want to modify.

  4. Under WMI Filtering, select the correct WMI filter from the list.

  5. Click Yes to accept the filter.

Important

Computers running Windows 2000 cannot process WMI filters, and apply any GPO to which they have read and apply permissions. To prevent a computer running Windows 2000 from applying a GPO, you must use security group filtering.