none
RsopPlanningModeProvider and WMI Filter

    Question

  • Hi
     
    i am having real issues with the RsopPlanningModeProvider class and its ability to specify WMI filters that should be considered to evaluate to true.
     
    i have a user that has two sets of folder redirection policies applied.  one policy is filtered for WIN7 and the other is filtered for WINXP
     
    i am trying to do a policy simulation and return only the policy settings applied to WIN7 machines.
     
    however i can only get the redirection settings returned from both policies or neither.
     
    here is some example code:-

     Const FLAG_NO_GPO_FILTER = &H80000000
    Const FLAG_NO_CSE_INVOKE = &H40000000
    Const FLAG_ASSUME_SLOW_LINK = &H20000000
    Const FLAG_LOOPBACK_MERGE = &H10000000
    Const FLAG_LOOPBACK_REPLACE = &H08000000
    Const FLAG_ASSUME_USER_WQLFILTER_TRUE = &H04000000
    Const FLAG_ASSUME_COMP_WQLFILTER_TRUE = &H02000000

    un = "sussex\hatcherk"
    fil = Array("8F034F97-9326-41FF-9316-42B89B6D8E1B")
    ns = null

    Set locator = CreateObject("WbemScripting.SWbemLocator")
    Set connection = locator.ConnectServer(".", "root\rsop", null, null, null, null, 0, null)

    Set provider = connection.Get("RsopPlanningModeProvider")
    provider.RsopCreateSession 0, null, null, null, null, un, null, null, fil, null, ns, null, null
    Set rsopProv = locator.ConnectServer(strComputer, strNAMESPACE & "\User", null, null, Null, Null, 0 ,Null)

    Set colItems = rsopProv.ExecQuery("Select * From RSOP_FolderRedirectionPolicySetting")

    For Each objItem in colItems
    WScript.Echo "-" & objItem.Name
    wscript.echo "--" & objItem.ResultantPath
    Next

    provider.RsopDeleteSession strNAMESPACE, hResult

    if i run the above code the collection is empty.
     
    however is i use the FLAG_ASSUME_USER_WQLFILTER_TRUE option i get back two sets of folder redirection info.
     
    i have checked the ID matches the WMI filter but i cannot seem to get what i really need.
     
    i have exactly the same issue using GPMGMT.GPM in VB.net.
     
    is anyone able to see what i am doing wrong?
     
    thanks in advance

    Saturday, October 05, 2013 5:35 PM

Answers

  • Try posting you issue along with a link to this thread to both the GP forum and the Directory Services forum.  Someone in one of those forums will have either seen this or know where the documentation is wrong.


    ¯\_(ツ)_/¯

    Saturday, October 05, 2013 8:57 PM

All replies

  • RSOP planning is only available on Domain Controllers. 


    ¯\_(ツ)_/¯

    Saturday, October 05, 2013 6:39 PM
  • The following only exists on a DC.

    fil = Array("8F034F97-9326-41FF-9316-42B89B6D8E1B")

    This value is also not assigned:  strNAMESPACE


    ¯\_(ツ)_/¯

    Saturday, October 05, 2013 6:48 PM
  • Thanks for your reply Yes I am running this script on a DC and it is working to display policy settings. It is simply that I cannot get it to accept the given policy wmi filter array that should specify which filters are assumed to be true Hope that makes sense
    Saturday, October 05, 2013 6:49 PM
  • Thanks again That is a typo on my part. I am actually passing the variable ns to the connectserver and rsopdeletesession methods Sorry for the confusion
    Saturday, October 05, 2013 6:52 PM
  • This is closer to what you are try8ng to do:

    Const FLAG_NO_GPO_FILTER = &H80000000
    ns=" \\.\Root\Rsop\8F034F97-9326-41FF-9316-42B89B6D8E1B"
    strDomainController="MyDC1"
    strComputer = "cn=xp1,ou=Desktops,dc=testdom,dc=com"
    
    Set objLocator = CreateObject("WbemScripting.SWbemLocator")
    Set objCon = objLocator.ConnectServer(strDomainController, "root\rsop", null, null, null, null, 0, null)
    Set objProvider = objCon.Get("RsopPlanningModeProvider")
    objProvider.RsopCreateSession  0, strComputer, Null, Null, Null, Null, Null, Null, Null, Null, ns, hr, ei
    
    Set colItems = objProvider.ExecQuery("Select * From RSOP_FolderRedirectionPolicySetting")
    
    For Each objItem in colItems
        WScript.Echo "-" & objItem.Name
        wscript.echo "--" & objItem.ResultantPath
    Next
    
    objProvider.RsopDeleteSession ns, hResult 
    


    ¯\_(ツ)_/¯


    • Edited by jrv Saturday, October 05, 2013 7:12 PM
    Saturday, October 05, 2013 7:12 PM
  • Thank you for the reply. Unfortunately I need to use rsop planning rather than rsop logging I am trying to simulate the policies applied to a given user. The functionality is available in GPMC.msc so I know it is possible and the documentation suggests it is but I cannot get it to work. The documentation is here:- http://msdn.microsoft.com/en-gb/library/windows/desktop/aa374837(v=vs.85).aspx Thanks
    Saturday, October 05, 2013 7:13 PM
  • Actually with either method I can query the GPOs but neither gives the folder redirection info.

    ¯\_(ツ)_/¯

    Saturday, October 05, 2013 7:26 PM
  • Hi

    this is close to what i am trying but if i was to run that code i would not get any results back as the policies that contain the redirected folder information i am trying to capture both have a WMI filter applied.

    this code does not specify that the WMI filters should be assumed true using the following:-

    Const FLAG_ASSUME_USER_WQLFILTER_TRUE = &H04000000

    however i dont want to assume all filterd are true and want to specify that only one particular filter should be assumed true.

    that is what i am specifying in the userGPOfilters parameter but it doesnt seem to work:-

    void RsopCreateSession(
      [in]   uint32 flags,
      [in]   string computerName,
      [in]   string computerSOM,
      [in]   string computerSecurityGroups[],
      [in]   string computerGPOFilters[],
      [in]   string userName,
      [in]   string userSOM,
      [in]   string userSecurityGroups[],
      [in]   string userGPOFilters[],
      [in]   string site,
      [out]  string nameSpace,
      [out]  uint32 hResult,
      [out]  uint32 ExtendedInfo
    );

    thanks

    Saturday, October 05, 2013 7:26 PM
  • We have to query the users namespace.

    root\rsop\user\<user string sid>

    Remember that we need to use the planning provider to generate a plan for the user.  If you inspect the namespaces you will find a namespace for every user that has been accessed.

    Each of these will contain the planning results and the policy results.

    Like this:

    __GENUS          : 2
    __CLASS          : RSOP_FolderRedirectionPolicySetting
    __SUPERCLASS     : RSOP_PolicySetting
    __DYNASTY        : RSOP_PolicySetting
    __RELPATH        : RSOP_FolderRedirectionPolicySetting.id="{1777F761-68AD-4D8A-87BD-30B759FA33DD}",precedence=1
    __PROPERTY_COUNT : 16
    __DERIVATION     : {RSOP_PolicySetting}
    __SERVER         : WS702
    __NAMESPACE      : ROOT\rsop\user\S_1_5_21_19977766983_324323223_153608166_1137
    __PATH           : \\WS02\ROOT\rsop\user\S_1_5_21_1997746983_32432322_153608166_1137:RSOP_FolderRedirectionPolicySett
                       ing.id="{1777F761-68AD-4D8A-87BD-30B759FA33DD}",precedence=1
    creationTime     : 20130624002545.000000+000
    GPOID            : cn={CF7F2DA9-615B-4527-884C-3055FCAB01D1},cn=policies,cn=system,DC=KAHLNET,DC=local
    grantType        : False
    id               : {1777F761-68AB-4D8A-87BD-30B759FA33DD}
    installationType : 1
    moveType         : True
    name             : Favorites
    parentFolderId   :
    policyRemoval    : 2
    precedence       : 1
    redirectedPaths  : {\\SERVER1\Users\%USERNAME%\Favorites}
    redirectingGroup : s-1-1-0
    redirectionFlags : 4129
    resultantPath    : \\SERVER1\Users\cornacky\Favorites
    securityGroups   : {s-1-1-0}
    SOMID            : OU=Users,OU=MyBusiness,DC=DEMNET,DC=local
    PSComputerName   : WS02

    YOu can see the planning results here;


    ¯\_(ツ)_/¯

    Saturday, October 05, 2013 7:50 PM
  • thanks for the reply.

    i am able to get planning results back.  it is the ability to only return results from policies that have a specified WMI filter that i cannot get working.

    in your example if you set a wmi filter on the GPO you should find that it does not get returned in policy planning.

    i want to specify that certain WMI filter should be assume as true to return the results.

    i hope i am making myself clear.

    thanks

    Saturday, October 05, 2013 7:56 PM
  • I will look at it later. I would have to set up a test policy with a filter or add a filter to an existing test policy.

    ¯\_(ツ)_/¯

    Saturday, October 05, 2013 8:01 PM
  • Hi

    this is close to what i am trying but if i was to run that code i would not get any results back as the policies that contain the redirected folder information i am trying to capture both have a WMI filter applied.

    this code does not specify that the WMI filters should be assumed true using the following:-

    Const FLAG_ASSUME_USER_WQLFILTER_TRUE = &H04000000

    however i dont want to assume all filterd are true and want to specify that only one particular filter should be assumed true.

    that is what i am specifying in the userGPOfilters parameter but it doesnt seem to work:-

    void RsopCreateSession(
      [in]   uint32 flags,
      [in]   string computerName,
      [in]   string computerSOM,
      [in]   string computerSecurityGroups[],
      [in]   string computerGPOFilters[],
      [in]   string userName,
      [in]   string userSOM,
      [in]   string userSecurityGroups[],
      [in]   string userGPOFilters[],
      [in]   string site,
      [out]  string nameSpace,
      [out]  uint32 hResult,
      [out]  uint32 ExtendedInfo
    );

    thanks

    THis was what I was just getting ready to do.

    I am using PowerShell as it is easier.  I will then have to translate back to VBScript.  Are you sure your filter GUID is correct and that the filter actually works?

    A GUID should look like this: "{8F034F97-9326-41FF-9316-42B89B6D8E1B}"


    ¯\_(ツ)_/¯

    Saturday, October 05, 2013 8:05 PM
  • yes i am passing in:-

    Array("8F034F97-9326-41FF-9316-42B89B6D8E1B")

    the parameter is an array of IDs to assume are true.

    i am pretty sure the ID is correct. i cant find any way of verifying the ID through the GPMC GUI but used some other code to retrieve it by WMIFilter name.

    the filter works correctly and is applied as expected depending on the OS the user logs in as.

    thanks for your time and effort on this.

    i hope you can recreate the issue i am seeing.


    Saturday, October 05, 2013 8:13 PM
  • Here is an example of a filter:

    instance of MSFT_SomFilter{	
        ChangeDate = "20051206225516.406000-000";
        CreationDate = "20051206225516.406000-000";
        Domain = "KAHLNET.local";	
        ID = "{A0F0F9AB-9C2F-4504-BBE4-5923E25CB539}";
        Name = "PostSP2";
        Rules = {
            instance of MSFT_Rule{
            	Query = "Select * from WIN32_OperatingSystem where ServicePackMajorVersion>=2 and Version='5.1.2600'";
            	QueryLanguage = "WQL";
            	TargetNameSpace = "root\\CIMV2";
            }
        };
    };
    
    

    Notice that the ID is a full GUID:

        ID = "{A0F0F9AB-9C2F-4504-BBE4-5923E25CB539}";


    ¯\_(ツ)_/¯

    Saturday, October 05, 2013 8:15 PM
  • yes i am passing in:-

    Array("8F034F97-9326-41FF-9316-42B89B6D8E1B")

    the parameter is an array of IDs to assume are true.

    i am pretty sure the ID is correct. i cant find any way of verifying the ID through the GPMC GUI but used some other code to retrieve it by WMIFilter name.

    the filter works correctly and is applied as expected depending on the OS the user logs in as.

    thanks for your time and effort on this.

    i hope you can recreate the issue i am seeing.


    That is not a GUID

    Try this:

    Array("{8F034F97-9326-41FF-9316-42B89B6D8E1B}")

    That is a GUID represented as a string. In most cases the  {} are required.


    ¯\_(ツ)_/¯


    • Edited by jrv Saturday, October 05, 2013 8:18 PM
    Saturday, October 05, 2013 8:17 PM
  • sorry, i really should check before i post.

    i have tried with curly braces also but still no joy.

    i tried without to see if this would work and forgot to change my code back.

    many thanks

    Saturday, October 05, 2013 8:20 PM
  • So you are saying that the script works fine until you include the filter?


    ¯\_(ツ)_/¯

    Saturday, October 05, 2013 8:38 PM
  • the script doesnt error whether i specify a filter or not.

    however if i dont have FLAG_ASSUME_USER_WQLFILTER_TRUE set then i get no redirection info returned whether or not i provide a value for userGPOFilters

    if i do set FLAG_ASSUME_USER_WQLFILTER_TRUE then i get both redirected folder policy settings returned with a difference precedence as you would expect.

    thank you

    Saturday, October 05, 2013 8:42 PM
  • Have you checked the contents of the two last arguments of the session call.
    hResult [out]

    An HRESULT that indicates the success or failure of the method. If the method succeeds, the return value is S_OK. Otherwise, the method returns one of the COM error codes defined in the Platform SDK header file WinError.h.

    ExtendedInfo [out]

    Currently, this parameter can have one of the following values.

    Value

    Meaning

    RSOP_USER_ACCESS_DENIED

    User   RSoP data is not available to the user.

    RSOP_COMPUTER_ACCESS_DENIED

    Computer   RSoP data is not available to the user.


    ¯\_(ツ)_/¯

    Saturday, October 05, 2013 8:45 PM
  • yes both return 0 whether i am trying to specify a filter or not.

    thanks

    Saturday, October 05, 2013 8:52 PM
  • Try posting you issue along with a link to this thread to both the GP forum and the Directory Services forum.  Someone in one of those forums will have either seen this or know where the documentation is wrong.


    ¯\_(ツ)_/¯

    Saturday, October 05, 2013 8:57 PM
  • i will give that a try

    i really appreciate all your time and help with this.

    thank you very much

    Saturday, October 05, 2013 9:05 PM
  • No prob.  Later I ill try to set up a policy with a filter and track down what may be happening unless it is a bug.

    ¯\_(ツ)_/¯

    Saturday, October 05, 2013 9:23 PM
  • Const FLAG_ASSUME_USER_WQLFILTER_TRUE = &H04000000

    It's poorly documented, but to my understanding, specifying this flag means the same as "all WMI filters are true" in the GPMC GUI interface.

    If you do NOT set this flag, only filters that you pass in are considered true. And GUIDs are usually enclosed in curly braces, so you might try

    fil = Array("{8F034F97-9326-41FF-9316-42B89B6D8E1B}")


    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

    Restore the forum design - my user defined Cascading Style Sheet!

    Sunday, October 06, 2013 11:49 AM
  • Hi

    thanks for your reply.

    what you say is correct, i get all policies returned when i specify

    Const FLAG_ASSUME_USER_WQLFILTER_TRUE = &H04000000

    but as said i only want to assume one particular filter is true.

    i have specified the ID with and without the {}  but i still get no policies returned.

    thanks

    Sunday, October 06, 2013 12:45 PM
  • Hi

    thanks for your reply.

    what you say is correct, i get all policies returned when i specify

    Const FLAG_ASSUME_USER_WQLFILTER_TRUE = &H04000000

    but as said i only want to assume one particular filter is true.

    i have specified the ID with and without the {}  but i still get no policies returned.

    thanks

    If we look at the planning mode server request definition it appears to say that filters passed in are the only ones evaluated.  This would match with the wizards layout.  I suspect that something is amiss if we pass in a filter ID and a query that returned results now returns NONE.  The filter is assumed true but appears to act lack it is presumed false.

    Assuming the filter actually works.  Why does the call not work?  What are we missing or is it a bug?

    Martin - I like the wheels.  Nice job.


    ¯\_(ツ)_/¯


    • Edited by jrv Sunday, October 06, 2013 2:37 PM
    Sunday, October 06, 2013 2:37 PM
  • Thanks jrv - I enjoy from day to day ;-)

    BTT: provider.RsopCreateSession 0, null, null, null, null, un, null, null, fil, null, ns, null, null

    This translates to

    provider.RsopCreateSession flags=0, cname=null, csom=null, cgroups=null, cfilters=null, uname=un, usom=null, ugroups=null, ufilters=fil, site=null, namespace=ns, hresult=null, extinfo=null

    Since hresult and extinfo both return 0, the call itself seems to be correct and working. But we lack any information whether

    fil = Array("{8F034F97-9326-41FF-9316-42B89B6D8E1B}")

    is the correct format for the filters to pass in. And of course, I've never used this provider myself - I'm stuck to the GPMC scripting interface which is quite easy to use. Or Powershell CMDlets...



    Martin

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))

    Restore the forum design - my user defined Cascading Style Sheet!

    Friday, October 18, 2013 12:28 PM
  • But it still fails.

    ¯\_(ツ)_/¯

    Friday, October 18, 2013 2:40 PM
  • Hi Martin,

    you mention that you use the GPMC scripting interface.  strangely i was using this originally but got exactly the same issue in that i cant seem to provide a list of WMI filters to assume true.

    if you have any examples of this working using the GPMC interface then that would be great as i will happily use that.

    this is for a vb.net project so WMI or GPMC API works equally well for me.

    many thanks

    Friday, October 18, 2013 5:27 PM
  • Hi Martin,

    i wonder if you are able to provide any code you have successfully used (either GPMC interface or Powershell) to apply only specific WMIfilters as this may help me with what i am trying to achieve.

    thanks in advance

    Monday, November 11, 2013 1:12 PM