none
WMI Filter for Group Policy to look at the IP address

    Question

  • Hi, We have a situation where I need a WMI filter to look to see if the IP address of the device falls into range in the filter. IF it does, then the group policy will not apply. If it doesn't, then the GP will apply. This is an overall policy to catch all devices.

    Another GP will apply at a sites and services level with the correct settings for that site.

    The query I have written is:

    Select * From Win32_IP4RouteTable Where Name Like "192.168.44.%" OR Name Like "192.168.87.%"

    I know this doesn't have a NOT, but every time I add it, it doesn't work?? This is how I wrote this:

    Select * From Win32_IP4RouteTable Where Name Not Like "192.168.44.%" OR Name Not Like "192.168.87.%"

    I'm using the WIM Tester if this helps?

    I hope this makes sense and someone can help??

    Cheers

    Steve

    • Moved by Bill_Stewart Tuesday, March 22, 2016 4:28 PM Move to more appropriate forum
    Tuesday, March 22, 2016 4:27 PM

Answers

  • > Select * From Win32_IP4RouteTable Where Name Not Like "192.168.44.%" OR
    > Name Not Like "192.168.87.%"
     
    In your query, the filter will be true as soon as the device has any
    entry in its route table with a differing name. Since we ALWAYS have
    0.0.0.0 and 255.255.255.255 and 224.0.0.0, this filter will always be true.
     
    This is the same problem as described here:
     
    You cannot invert WMI filters to return TRUE if ONE element of multiple
    elements matches.
     
    • Marked as answer by TheWookie5375 Wednesday, March 30, 2016 12:51 PM
    Thursday, March 24, 2016 3:38 PM
  • > another thought, can I query the registry to look for a value using WMI?
     
    Only if you extend WMI with custom MOF files.
     
    My suggestion: Use Group Policy Preferences Environment to create a
    defined environment variable with defined values. Use Item Level
    Targeting for your needs, here you can query registry, query AD, query
    WMI and and and... The fine thing is: In WMI queries, you can invert the
    overall result.
     
    Then in your GPO simply use a WMI filter for the name and value of this
    environment variable.
     
     
    If the GPP creates the environment variable in a computer GPO and the
    WMI filter belongs to a user GPO, this will work from the beginning.
     
    If both are computer GPOs, it will work upon second boot.
     
    • Marked as answer by TheWookie5375 Wednesday, March 30, 2016 12:50 PM
    Thursday, March 24, 2016 3:43 PM
  • Hi Martin,

    OK, this what I've done, but I must be missing as when using the WBEMTEST tool, nothing seems to return??

    I've created a GPP to create an environment to look in the registry:

    Action to Update

    Name to system Variable to SkypeManSites

    Value to 1

    and set the Item-Level Targeting to look for one of the sites we don't wont the policy to apply:

    HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters\DynamicSiteName does not exist or does not have the same value data containing "Site-A"

    now when I run this query using the wbemtest:

    select * from win32_environment where name="SkypeManSites" and variablevalue="1"

    I get nothing back, even if I change it to 0?

    Any idea's? Sorry if I'm being a pain and missing something silly

    Cheers

    • Marked as answer by TheWookie5375 Wednesday, March 30, 2016 12:51 PM
    Tuesday, March 29, 2016 12:38 PM
  • > select * from win32_environment where name="SkypeManSites" and
    > variablevalue="1"
    >
    > I get nothing back, even if I change it to 0?
     
    It _should_ work. Would you check
    "wmic environment"
    output for your variable?
     
    • Marked as answer by TheWookie5375 Wednesday, March 30, 2016 12:51 PM
    Tuesday, March 29, 2016 4:16 PM

All replies

  • Select * From Win32_IP4RouteTable Where Not Name Like "192.168.44.%" OR Not Name Like "192.168.87.%"

    This will still not likely work.


    \_(ツ)_/


    • Edited by jrv Tuesday, March 22, 2016 9:41 PM
    Tuesday, March 22, 2016 9:41 PM
  • This might work:

     Select * From Win32_IP4RouteTable -filter 'Destination = "10.0.0.0"'

    Where 10.0.0.0 is the address of the subnet gateway.  This will be unique for each subnet.  If it is a destination then it must be the gateway.  "Name" will not be reliable because other addresses can get into the table from dynamic connections.


    \_(ツ)_/

    Tuesday, March 22, 2016 9:47 PM
  • Hi Jrv,

    Thanks for your reply, one thing I forgot to mention was the two IP ranges I listed in the example were two different sites, one in the UK and one in the US.

    So because of that, I don't think this will work?

    The problem we have is we need to make Skype resilient, so in sites which have an SBA we been to be able to point them direct to there, and other sites to anywhere else. This means that the UK and US sites will need a manual server config, and everywhere else has a normal Automatic config. This is by far not ideal, and you would have thought Microsoft/Skype could deal with this in the client, but they can't.

    So, my problem is, sites needing a manual config need a separate group policy (set at Sites and Services level), every other site requires a Automatic config (set at a high OU level).

    This is why I needed a WMI query to detect a US/UK site, if detected the automatic config GP will not apply.

    Hope this helps?

    Steve

    Wednesday, March 23, 2016 9:47 AM
  • > So, my problem is, sites needing a manual config need a separate group
    > policy (set at Sites and Services level), every other site requires a
    > Automatic config (set at a high OU level).
     
    Why not enforcing the site policies so they will override the OU level
    automatic config?
     
    Wednesday, March 23, 2016 10:20 AM
  • Hi Martin,

    Thanks for replying. I hadn't thought of that!

    I have tried this and unfortunately it didn't work. So it looks like I may have to go down the WMI filter again

    :(


    Wednesday, March 23, 2016 2:44 PM
  • Hi Steve,

    According to my search, here is a WMI query below, you could try it.

    Select * FROM Win32_IP4RouteTable
    WHERE ((Mask='255.255.255.255' AND NextHop='127.0.0.1')
    AND (Destination Like '10.1.1.%')

    For detailed information, you could refer to the article below.

    http://ravingroo.com/1364/wmi-filter-apply-group-policy-specific-ip-subnet/

    Due to the article is provided by third-party, it may be not notified in time if there are some changes happen.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 24, 2016 5:11 AM
    Moderator
  • > I have tried this and unfortunately it didn't work.
     
    Regularly it does work. "didn't work" obviously is a too short
    description for further assistance :)
     
    Thursday, March 24, 2016 8:01 AM
  • Hi Jay,

    Thanks, I don't think this is any different to the one I've tried above?

    I want to list the few sites (IP ranges) I don't want the policy to apply to, but need have to have something like a "not like" statement. So the wmi query is successful when the IP is different and the GP applies. Otherwise, I'll have to list all the IP I want the policy to apply to , which is over 100, and difficult to manage).

    Martin, I enforced the policy user policy, which is great and applies, but the GP which I don't wont to apply (hence the WMI Query) also applies.

    I know I could go down a user group filter route, but the problem with this is, it's dependant on people making sure people are in the group. This also doesn't take into account people travelling.

    Cheers

    Thursday, March 24, 2016 12:11 PM
  • Just a thought, can I use a query to look for what AD Site (Sites and Services) the device is in using something like this?

    SELECT * FROM Win32_NTDomain WHERE Not Like (DomainName LIKE "%%" and ClientSiteName Like "USSite1" or ClientSiteName LIKE "UKSite1"))

    This still doesn't seem to give me what I'm after, and also takes about 10 seconds which isn't great.


    Thanks

    Thursday, March 24, 2016 2:06 PM
  • another thought, can I query the registry to look for a value using WMI?
    Thursday, March 24, 2016 2:25 PM
  • > Select * From Win32_IP4RouteTable Where Name Not Like "192.168.44.%" OR
    > Name Not Like "192.168.87.%"
     
    In your query, the filter will be true as soon as the device has any
    entry in its route table with a differing name. Since we ALWAYS have
    0.0.0.0 and 255.255.255.255 and 224.0.0.0, this filter will always be true.
     
    This is the same problem as described here:
     
    You cannot invert WMI filters to return TRUE if ONE element of multiple
    elements matches.
     
    • Marked as answer by TheWookie5375 Wednesday, March 30, 2016 12:51 PM
    Thursday, March 24, 2016 3:38 PM
  • > another thought, can I query the registry to look for a value using WMI?
     
    Only if you extend WMI with custom MOF files.
     
    My suggestion: Use Group Policy Preferences Environment to create a
    defined environment variable with defined values. Use Item Level
    Targeting for your needs, here you can query registry, query AD, query
    WMI and and and... The fine thing is: In WMI queries, you can invert the
    overall result.
     
    Then in your GPO simply use a WMI filter for the name and value of this
    environment variable.
     
     
    If the GPP creates the environment variable in a computer GPO and the
    WMI filter belongs to a user GPO, this will work from the beginning.
     
    If both are computer GPOs, it will work upon second boot.
     
    • Marked as answer by TheWookie5375 Wednesday, March 30, 2016 12:50 PM
    Thursday, March 24, 2016 3:43 PM
  • Hi Martin,

    Thanks, I'll give this a go and get back to you.

    Cheers

    Thursday, March 24, 2016 4:00 PM
  • Hi Martin,

    OK, this what I've done, but I must be missing as when using the WBEMTEST tool, nothing seems to return??

    I've created a GPP to create an environment to look in the registry:

    Action to Update

    Name to system Variable to SkypeManSites

    Value to 1

    and set the Item-Level Targeting to look for one of the sites we don't wont the policy to apply:

    HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters\DynamicSiteName does not exist or does not have the same value data containing "Site-A"

    now when I run this query using the wbemtest:

    select * from win32_environment where name="SkypeManSites" and variablevalue="1"

    I get nothing back, even if I change it to 0?

    Any idea's? Sorry if I'm being a pain and missing something silly

    Cheers

    • Marked as answer by TheWookie5375 Wednesday, March 30, 2016 12:51 PM
    Tuesday, March 29, 2016 12:38 PM
  • > select * from win32_environment where name="SkypeManSites" and
    > variablevalue="1"
    >
    > I get nothing back, even if I change it to 0?
     
    It _should_ work. Would you check
    "wmic environment"
    output for your variable?
     
    • Marked as answer by TheWookie5375 Wednesday, March 30, 2016 12:51 PM
    Tuesday, March 29, 2016 4:16 PM
  • Hi Martin,

    Good news, its appeared this morning and when running the query, wmic environment and checking in the registry I can see it. I've just changed the policy to have different information so my PC should change to a 0.

    I'll see how this goes and get back to you.

    Thanks again!

    Wednesday, March 30, 2016 8:58 AM
  • Martin,

    Thanks very much! It works perfectly!

    Its definitely complicated, but does exactly what I wanted.

    Cheers

    Wednesday, March 30, 2016 12:49 PM