Recipe 9.16 Applying a WMI Filter to a GPO

WMI filters can be configured only on a Windows Server 2003 domain controller, and they will apply only to Windows Server 2003- and Windows XP-based clients.

9.16.1 Problem

You want to apply a WMI filter to a GPO.

9.16.2 Solution

9.16.2.1 Using a graphical user interface
  1. Open the GPMC snap-in.

  2. In the left pane, expand the Forest container, expand the Domains container, browse to the domain of the GPO you want to target, and expand the Group Policy Objects container.

  3. Single-click on the target GPO.

  4. In the right name, at the bottom of the window you can select from the list of WMI filters.

  5. After you've selected the WMI filter, click Yes to confirm.

9.16.2.2 Using VBScript
' This code links an existing WMI filter with a GPO
' ------ SCRIPT CONFIGURATION ------
strGPO         = "<GPOName>"        ' e.g. Sales GPO
strDomain      = "<DomainDNSName>"  ' e.g. rallencorp.com

' e.g. {D715559A-7965-45A6-864D-AEBDD9934415}
strWMIFilterID = "<WMIFilterID>" 
' ------ END CONFIGURATION ---------

set objGPM = CreateObject("GPMgmt.GPM")
set objGPMConstants = objGPM.GetConstants( )
  
' Initialize the Domain object
set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC)

' Find the GPO
set objGPMSearchCriteria = objGPM.CreateSearchCriteria
objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, _
                         objGPMConstants.SearchOpEquals, _
                         cstr(strGPO)
set objGPOList = objGPMDomain.SearchGPOs(objGPMSearchCriteria)
if objGPOList.Count = 0 then
   WScript.Echo "Did not find GPO: " & strGPO
   WScript.Echo "Exiting."
   WScript.Quit
elseif objGPOList.Count > 1 then
   WScript.Echo "Found more than one matching GPO. Count: " & _
                objGPOList.Count
   WScript.Echo "Exiting."
   WScript.Quit
else
   WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName
end if

on error resume next

' Retrieve the WMI filter
strWMIFilter = "MSFT_SomFilter.Domain=""" & _
                strDomain & """,ID=""" & _
                strWMIFilterID & """"
set objWMIFilter = objGPMDomain.GetWMIFilter(strWMIFilter)
if Err.Number <> 0 then
   WScript.Echo "Did not find WMI Filter: " & strWMIFilterID
   WScript.Echo "Exiting."
   WScript.Quit
else
   WScript.Echo "Found WMI Filter: " & objWMIFilter.Name
end if

' Link the filter and print the result
objGPOList.Item(1).SetWMIFilter(objWMIFilter)
if Err.Number <> 0 then
   WScript.Echo "Failed to set WMI filter."
   WScript.Echo "Error: " & err.description
else        
   WScript.Echo "Set WMI filter successfully."
end if

9.16.3 Discussion

You can link only one WMI filter to a GPO. This is not necessarily a limitation because you can still link more than one GPO to a site, domain, or OU. If you need multiple WMI filters to apply to a GPO, copy the GPO and apply a new WMI filter to it. See Recipe 9.15 for more information on WMI filters.

9.16.3.1 Using VBScript

I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section. I use an if elseif else conditional statement to ensure that only one GPO is returned. If none or more than one are returned, I abort the script. If only one GPO is returned, I call GPMDomain.GetWMIFilter to instantiate a GPMWMIFilter object based on the WMI filter GUID specified in the configuration section. If you need to programmatically search for the WMI filter ID, you can use the GPMDomain.SearchWMIFilters method. After I retrieve the GPMWMIFilter object, I call the GPMGPO.SetWMIFilter method to set the filter for the GPO.

9.16.4 See Also

MSDN: GPMDomain.GetWMIFilter and MSDN: GPMGPO.SetWMIFilter



    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List