none
Security Filtering vs WMI Filtering

    Question

  • Hi all,

    Could anyone tell me whether when both WMI filtering and Security filtering are applied on the same GPO, one will override the other?  We have both applied on one, but are getting some odd results.

    Thanks,

    Dean

    Tuesday, December 15, 2015 4:18 PM

Answers

  • You can have both security filtering and WMI filtering.  You would configure the security permissions to determine who can read the GPO.  If an object cannot read the GPO, it wouldn't matter what you have for a WMI filter because the GPO simply cannot be applied. So as long as an object can read the GPO, it will then read the WMI filter to determine whether or not to apply the GPO.  So security filtering determines who can read the GPO and WMI filtering determines whether or not the GPO should be applied.
    • Marked as answer by Dean McGinnes Wednesday, December 16, 2015 1:03 PM
    Tuesday, December 15, 2015 6:29 PM
  • Hi,
     
    Am 15.12.2015 um 17:18 schrieb DeanoMcG:
    > Could anyone tell me whether when both WMI filtering and Security
    > filtering are applied on the same GPO, one will override the other?
     
    Without the permission "apply" you will never get any GPO.
    Security filter is the 2nd Filter in the row. First one is the SOM
    (scope of managemen, the OU/Domain Link)
     
    If an object has "apply rights on the GPO, it can be filtered a 3rd time
    by WMI. WMI must always be TRUE to apply the GPO.
     
    e.g.
    You have clients with 7 and 8.1, all objects are "authenticated users"
    which is in fact a security filter, you can query the OS with WMI to
    only apply settings within this group only to the 7 clients
    (or NOT the 7 clients, or the 8.1 clients, or NOT the 8.1 clients ...)
     
    Depending on your
    "select * from whatever where something is or is not somevalue"
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Tuesday, December 15, 2015 7:03 PM
  • I think I may have answered my own question.

    I mistakenly assumed that the "Authenticated Users" group contained just user accounts, which it doesn't.  It contains both user and computer accounts.

    So, with the above now reverberating loudly in my mind, if I change the Authenticated Users to Domain Users (for example) I should get the result I am hoping for.

    ....this doesn't explain why it appeared to be working fine for a week or so with Authenticated Users in the Security Filtering, but that is not something for this forum.

    • Marked as answer by Dean McGinnes Wednesday, December 16, 2015 1:03 PM
    Wednesday, December 16, 2015 10:15 AM
  • > that no computers were getting a screensaver. When checking the policy
    > results, it appears that they are applying the loopback setting so any
    > user logging in would be applying the no screensaver setting.
     
    As you already discovered on your own: Auth Users is "each and every
    account that has authenticated in the current forest and each of its
    trusted forests" - this obviously includes computer accounts :)
     
    To help with your challenge:
     
     
    The second post contains useful info about how to deploy different
    settings for users on different computers - even without using loopback.
     
    • Marked as answer by Dean McGinnes Wednesday, December 16, 2015 1:03 PM
    Wednesday, December 16, 2015 11:54 AM

All replies

  • Dear friend 

    Always WMI Filtering is the last step in determining to whom the policy is applied to which means that always WMI Filtering overrides Security Filtering.

    Let me make it clear with a clear example :

    • You create policy and then you use the Security Filtering to determine that the policy is is applied to a group called "MainGroup"
    • Then you create a new WMI Filter so only security principals with a WMI=TRUE inside "MainGroup" the policy is applied to.

    I hoped it helped mark my reply as answer if it helped you.

    Regards

    Tuesday, December 15, 2015 6:14 PM
  • You can have both security filtering and WMI filtering.  You would configure the security permissions to determine who can read the GPO.  If an object cannot read the GPO, it wouldn't matter what you have for a WMI filter because the GPO simply cannot be applied. So as long as an object can read the GPO, it will then read the WMI filter to determine whether or not to apply the GPO.  So security filtering determines who can read the GPO and WMI filtering determines whether or not the GPO should be applied.
    • Marked as answer by Dean McGinnes Wednesday, December 16, 2015 1:03 PM
    Tuesday, December 15, 2015 6:29 PM
  • Hi,
     
    Am 15.12.2015 um 17:18 schrieb DeanoMcG:
    > Could anyone tell me whether when both WMI filtering and Security
    > filtering are applied on the same GPO, one will override the other?
     
    Without the permission "apply" you will never get any GPO.
    Security filter is the 2nd Filter in the row. First one is the SOM
    (scope of managemen, the OU/Domain Link)
     
    If an object has "apply rights on the GPO, it can be filtered a 3rd time
    by WMI. WMI must always be TRUE to apply the GPO.
     
    e.g.
    You have clients with 7 and 8.1, all objects are "authenticated users"
    which is in fact a security filter, you can query the OS with WMI to
    only apply settings within this group only to the 7 clients
    (or NOT the 7 clients, or the 8.1 clients, or NOT the 8.1 clients ...)
     
    Depending on your
    "select * from whatever where something is or is not somevalue"
     
    Mark
    --
    Mark Heitbrink - MVP Windows Server - Group Policy
     
    GPO Tool: http://www.reg2xml.com - Registry Export File Converter
     
    Tuesday, December 15, 2015 7:03 PM
  • >when both WMI filtering and Security filtering are applied on the same GPO, one will override the other?
     
    In short, you can have both applied on the same GPO.
     
    Security Filtering is simply tweaking permission on the Group Policy Object for a subset of targets
    (targets = users and computers in the scope of a policy).
     
    WMI filtering is used to apply GPOs based on certain properties of the target computer. It runs prior to executing the GPO in question. If the filter evaluates to “TRUE”, the GPO is applied, otherwise it is ignored.
     
    >We have both applied on one, but are getting some odd results.
     
    Try to share more details about your configuration, maybe we can help with the troubleshooting.
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, December 16, 2015 6:59 AM
    Moderator
  • Hi all,

    Thank you for your responses, it has been helpful.

    I will provide some more specific information as to why the question was raised:

    We have a GPO that is applied to all devices and contains a USER setting to disable the screensaver and a COMPUTER setting to enable loopback.

    We set up security filtering so that all authenticated users can read the user setting, and that only those computers within the No-ScreenSaver group would be able to read the computer setting.

    All appeared to be working fine for a week or so, but then we noticed that no computers were getting a screensaver. When checking the policy results, it appears that they are applying the loopback setting so any user logging in would be applying the no screensaver setting.

    The only thing that has changed recently, is the WMI filtering on that policy has been set to: 

    select * from Win32_OperatingSystem where (Version like "6.1%" or Version like "6.2%" or Version like "6.3%") and ProductType = "1"

    My initial assumption had been that the new WMI filtering setting had been the culprit, but after reading the helpful responses, I am now doubting that.

    Thanks,

    Dean


    Wednesday, December 16, 2015 9:43 AM
  • I think I may have answered my own question.

    I mistakenly assumed that the "Authenticated Users" group contained just user accounts, which it doesn't.  It contains both user and computer accounts.

    So, with the above now reverberating loudly in my mind, if I change the Authenticated Users to Domain Users (for example) I should get the result I am hoping for.

    ....this doesn't explain why it appeared to be working fine for a week or so with Authenticated Users in the Security Filtering, but that is not something for this forum.

    • Marked as answer by Dean McGinnes Wednesday, December 16, 2015 1:03 PM
    Wednesday, December 16, 2015 10:15 AM
  • > that no computers were getting a screensaver. When checking the policy
    > results, it appears that they are applying the loopback setting so any
    > user logging in would be applying the no screensaver setting.
     
    As you already discovered on your own: Auth Users is "each and every
    account that has authenticated in the current forest and each of its
    trusted forests" - this obviously includes computer accounts :)
     
    To help with your challenge:
     
     
    The second post contains useful info about how to deploy different
    settings for users on different computers - even without using loopback.
     
    • Marked as answer by Dean McGinnes Wednesday, December 16, 2015 1:03 PM
    Wednesday, December 16, 2015 11:54 AM
  • It was the "users" part of "Authenticated Users" that was throwing me.  Would have thought "Authenticated Accounts" would have been a slightly better name, but that's probably me just being a bit OCD with naming conventions...

    Thanks for the links, good info on them.

    Wednesday, December 16, 2015 12:59 PM
  • > It was the "users" part of "Authenticated Users" that was throwing me.
     
    In terms of AD class hierarchy, a user is an object of class top -
    person - organizational person - user and objectCategory = User.
    A computer is an object of class top - person - organizational person -
    user - computer and ObjectCategory = computer.
     
    So from a technical perspective, both are users and persons, with
    computers being an extended subclass of "normal users" (having some more
    attributes). Funny enough that computers feature attributes like postal
    address or web page :-)
     
    Wednesday, December 16, 2015 3:53 PM