locked
WMI Filtering on group membership RRS feed

  • Question

  • I'm stuck at this: how do you WQL for group membership? Sg like, is computer member of the security group 1st-floor-computers? Win32_GroupUser didn't work for me or maybe I just used it incorrectly: 

    SELECT * FROM Win32_GroupUser WHERE GroupComponent="Win32_Group.Domain=\"DOMAIN\", Name=\"1st-floor-computers\""

    Many Thanks, Jan

    Saturday, October 15, 2011 8:54 PM

Answers

All replies

  • We don't use WMI for filtering in Group Policy. Just use the group directly.

    Remove 'AuthenticatedUsers' and add one or more groups.  'AuthenticatedUsers' is a hidden group that contains all users that have logged in successfully. This the default filter.  Removing it denies access to all until you add one or more accounts or groups.

    We use WMI filtering to specify elements of a computer or other session object on the remote system.

     Here is an example:

    Root\CimV2; Select * from Win32_OperatingSystem where Caption = "Microsoft Windows 2000 Advanced Server" OR Caption = "Microsoft Windows 2000 Server"

    Note that this query is about teh remote machines OS and hardware and says only apply this GPO when this condition is true.

    http://technet.microsoft.com/en-us/library/cc781936(WS.10).aspx


    jv

    • Edited by jrv Saturday, October 15, 2011 9:09 PM
    Saturday, October 15, 2011 9:06 PM
  • First question... why would you use WMI Filter for groups? If that is for GPO - why not use group membership directly?

    Saturday, October 15, 2011 9:07 PM
  • First question... why would you use WMI Filter for groups? If that is for GPO - why not use group membership directly?


    Bartek - Great minds think alike....  Does this mean I too amd great?

    This is the third time we hav ehad almost identical posts.  Are you spying on me? ;)

     


    jv
    Saturday, October 15, 2011 9:11 PM
  • Of course I'm not spying on you!
    But don't look into the closet... please? ;)

    More seriously - I guess that's just the first question that comes to mind...
    WMI filters are great, but...

    Saturday, October 15, 2011 9:21 PM
  • jrv,

    I have user policies to be applied but on a group of computers only. Like install 1st-floor-printer when user logon to a 1st-floor-computers or apply office-2010-settings for computers-with-office2010. These are filtered on computer accounts but the settings are in the user policy hive. AuthenticatedUsers is necessary, so adding a computer group does not filter anything further, no computers will be filtered out. WMI runs before security filtering, I thought... but yeah, maybe I'm wrong. So how can you achieve this?

    Saturday, October 15, 2011 10:07 PM
  • You cannot do this with WMI filtering.

    Remove 'authenticated users' add 'Domain Users' and the Group containing the computers that you want this to apply to.  Normally we put out computers in a differetn OU from the users and other objects.  This imakes it eeasier to manage computer only policy.  We know that any reference to a policuyy link will on;ly apply settings from the computer section of teh policy and it will only apply to computers.  We can link policies and remove the default filter and add a group with computers we want thhis to apply to.  Mixiontg computers and users in teh same OU will ultimately lead to a very hard to manage system using Group Policy.

    Spend some time reading about WMI filtering and Group Policy security filtering to understand how this works.

    You also need to understand that this is NOT a scripting question.  It is a Group Policy question. You might find more info in the Group Policy Forum

    http://social.technet.microsoft.com/Forums/en/winserverGP/threads

    You will also find that you will be able to learn quite a bit about Group Policy by reading the topics in that forum.

     

     


    jv
    Saturday, October 15, 2011 10:33 PM
  • This article describes how to filter on security group membership:

    http://technet.microsoft.com/en-us/library/cc786636(WS.10).aspx

    However, policies applied to users can only filter on user group membership, and policies applied to computers can only filter on computer group membership.

    You may need to ask your question in the Group Policy forum:

    http://social.technet.microsoft.com/Forums/en-US/winserverGP/threads

     


    Richard Mueller - MVP Directory Services
    Saturday, October 15, 2011 10:42 PM
  • jvr,

    authenticatedusers or domain users in this case is just the same. Adding a computer group will have no effect. I've tried that.

    Could you have a look at this WQL? It works on the command line but not as a Gp WMI filter.

    SELECT * FROM Win32_GroupUser WHERE (GroupComponent="Win32_Group.Domain='DOMAIN',Name='ComputerGroup'" and PartComponent="Win32_UserAccount.Domain='DOMAIN',Name=\"%COMPUTERNAME%$\"")

    On the command line (wmic path) I get the group and partcomponent back correctly. But the gpresult says Denied. Any idea?

    Sunday, October 16, 2011 12:06 AM
  • jvr,

    authenticatedusers or domain users in this case is just the same. Adding a computer group will have no effect. I've tried that.

    Could you have a look at this WQL? It works on the command line but not as a Gp WMI filter.

    SELECT * FROM Win32_GroupUser WHERE (GroupComponent="Win32_Group.Domain='DOMAIN',Name='ComputerGroup'" and PartComponent="Win32_UserAccount.Domain='DOMAIN',Name=\"%COMPUTERNAME%$\"")

    On the command line (wmic path) I get the group and partcomponent back correctly. But the gpresult says Denied. Any idea?


    We have all trid to tell yopu that what you are trying to do is wrong and it cannot be made to work.

    Domain Users is not Authenticated user.  Authenticated users includes all types of accounts.  Domain users does not.

    If you are having trouble with getting group policy to work please post this in the Group Policy Forum.  They will explain it to you.

    You must move you computers to a separate OU and things will get much easier.

     


    jv
    Sunday, October 16, 2011 12:12 AM
  • Richard, jvr,

    I did start a thread earlier in the GP forum http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/e3c7a206-a219-4e03-b927-932f0d21c04c 

    Will continue there. Thanks.

    Jan

     

    Sunday, October 16, 2011 12:16 AM
  • Richard, jvr,

    I did start a thread earlier in the GP forum http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/e3c7a206-a219-4e03-b927-932f0d21c04c 

    Will continue there. Thanks.

    Jan

     


    Sorry but it is just not a scripting issue.  You just can't do that kind of filtering with WMI and you don't see to want to believe everyone here.  The GP guys will help you out.

    Even if qwhat you were trying to do you would sitll include all other computers if you still have 'AuthenticatedUsers' included.

     

     


    jv
    • Marked as answer by u.jan Sunday, October 16, 2011 1:02 AM
    Sunday, October 16, 2011 12:25 AM
  • Richard, jvr,

    I did start a thread earlier in the GP forum http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/e3c7a206-a219-4e03-b927-932f0d21c04c 

    Will continue there. Thanks.

    Jan

     


    The user int he GP forum answerered your question slightly differently by saying not to worry about policies for Office 2010 on machines where is is not installed.  This is also correct advice.

     


    jv
    Sunday, October 16, 2011 12:32 AM
  • I'll chime in here since I am having a similar problem.

    (I refuse to spend any longer pondering why WQL works for some queries but not others. It's like beating your head with a stick.)

    I Need to set a different screen saver policy for certain machines.

    Those machines are in a group.

    I'm using loopback, yes.

    Security filtering (allowing "apply" only to members of that group) will not work because screen-saver is a _User_ policy, and the group contains only computers.

    Stuck. WMI filtering would be the only logical answer; creating more OUs just for those computers is a really messy approach (too many OUs, too many links, etc.)


    Wednesday, October 29, 2014 5:51 PM
  • I'll chime in here since I am having a similar problem.

    (I refuse to spend any longer pondering why WQL works for some queries but not others. It's like beating your head with a stick.)

    I Need to set a different screen saver policy for certain machines.

    Those machines are in a group.

    I'm using loopback, yes.

    Security filtering (allowing "apply" only to members of that group) will not work because screen-saver is a _User_ policy, and the group contains only computers.

    Stuck. WMI filtering would be the only logical answer; creating more OUs just for those computers is a really messy approach (too many OUs, too many links, etc.)


    Sorry but you are posting to a thread that is over a half century closed.  Do you also visit the graveyard regularly or is this just because it is Halloween.

    You issue is about Group Policy. Post your question in the GP forum.  This is a scripting forum and we do not field GP specific question.  If you have a scripting question please start a new topic and describe you issue, any errros and post a simplified copy of your script.

    Thank you and good luck.  Watch out fo the red licorice.  It is terrible on fillings.


    ¯\_(ツ)_/¯

    Wednesday, October 29, 2014 8:08 PM
  • Three years is half a century???

    I was following up on an existing thread; sorry if you don't think "WQL" is "scripting". 

    I guess not, strictly, but is there a WMI forum?

    Wednesday, October 29, 2014 9:05 PM
  • Three years is half a century???

    I was following up on an existing thread; sorry if you don't think "WQL" is "scripting". 

    I guess not, strictly, but is there a WMI forum?

    C'mon kids. The post is older than you are.  2011 - 2015 almost half a decade. Yeah... I guess century was pushing it.

    WQL is a support extension for a product.  The package you are using is GP.  You need to post in the GP forum first.

    I can tell by the vagueness of your question that you have not sorted out how either of these work.  Start with the GP folks.  They will get you going in the right direction.

    https://social.technet.microsoft.com/Forums/en-US/winserverGP/threads

    As for WQL you can ask a WQL specific question in the management forums and here toot but you must start you own thread with an example of a simplified script.

    In GP the WQL must return something or nothing to work.

    Assume that the results selects for a single condition that produses a result like;

    select * from win32_bios WHERE Manufacturer like '%AMI%'

    This would have a result if it found anything and no result if the answer was not found.

    Nothing flakey about it.  It is you humans who are flakey.


    ¯\_(ツ)_/¯

    Wednesday, October 29, 2014 9:20 PM
  • I predict that this thread will haunt you forever.

    (I can tell by the vagueness of your answer that you can't show us a working NEGATED WQL query...that'll keep you quiet until November!)

    Wednesday, October 29, 2014 9:59 PM
  • Hi buffer overflow 0xG, if you still have questions, please start a new thread with your question, and please post a short script that follows the short, self-contained, correct example principle. This thread is already marked answered.

    -- Bill Stewart [Bill_Stewart]

    Wednesday, October 29, 2014 10:10 PM
  • I predict that this thread will haunt you forever.

    (I can tell by the vagueness of your answer that you can't show us a working NEGATED WQL query...that'll keep you quiet until November!)

    Which is why I pointed you at the GP forum.  They will help you to understand how to use WMI filters where applicable and help you to understand what is possible.

    Negative wqueries are not and have never been supported in WQL.  A WMI query returns stuff. It is not a Boolean.  Filters assume a return is a validation.  It is up the the engineer to know how to use this.

    Now go back the last century and reread the instructions on the box.


    ¯\_(ツ)_/¯

    Wednesday, October 29, 2014 10:38 PM