locked
Seacrhing computer's OU or DN in WMI filter RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    I need apply a few group policies with users settings only when they logged on computers in some UOs.
    unfortunately, my AD structure is very large and I can't use loopback processing for it.
    I need to create wmi-filter for this policies.
    But I can't find how can I search UO's name or DN of computer in filter?
    мой блог - http://vvnet.ru
    Tuesday, September 28, 2010 1:10 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Yes, you’re right. "select * from ds_computer where"  will return the same result on all clients without filter like ds_name = %computername%. However, %computername% cannot be used in WMI filter.

    Currently, we have two options:

    1. Create a MOF file and fill some information on client so that we can query these customized information form WMI filter.
    2. Change win32_operatingsystem properties, such as description and then use filter "select * from win32_operatingsystem where description like '%WMIFILTER%'". TOochange win32_operatingsystem’s properties, we can do it remotely via script or startup script.

    To create a MOF file, please refer to the following sample:

    =========================
    #pragma namespace ("\\\\.\\Root\\cimv2")

    instance of __Win32Provider as $PropProv
    {
     Name="RegPropProv";
     Clsid="{72967901-68EC-11d0-B729-00AA0062CBB7}";
    };

    instance of __PropertyProviderRegistration
    {
     Provider=$PropProv;
     SupportsPut = TRUE;
     SupportsGet = TRUE;
    };
    [DYNPROPS]
    class WMIFILTER
    {
         [key]string  Keyname="";
         string       ou;
         string       description;
    };
    [DYNPROPS]
    instance of WMIFILTER
    {
         KeyName="WMIfilter";
         [PropertyContext("local|HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion|currentou"), Dynamic, Provider("RegPropProv")] ou;
         [PropertyContext("local|HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion|currentdescription"),Dynamic, Provider("RegPropProv")] description; };
    =========================

    After the MOF file has been compiled on the client machines, a WMI filter can be used that looks like this in the root\cimv2 namespace:

    SELECT * FROM WMIFILTER WHERE ou="Ouname"

    WMI Helps Those Who Help Themselves
    http://msdn.microsoft.com/en-us/library/ms974554.aspx

    To change the properties, please refer to:

    $computer=gwmi win32_operatingsystem –computername "computername"
    $computer.description="WMIFILTER"
    $computer.put()

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Mervyn Zhang Friday, October 8, 2010 1:53 AM
    Thursday, September 30, 2010 2:29 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi,

    Please configure the WMI filter as follows:

    Namespace: root\directory\LDAP

    Query: select * from ds_computer where ds_distinguishedName like '%ou=ou1%'

    Note: Replace '%ou=ou1%' with your actual OU name. 

    For your information: 
    LIKE Operator
    http://msdn.microsoft.com/en-us/library/aa392263(v=VS.85).aspx

    Thanks. 

    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, September 29, 2010 8:12 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Big thanks for reply, but unfortunately this query doesn't work.

    I created query 

    select * from ds_computer where ds_distinguishedName like '%ou=Workstations%'

    but polucy applies on all computers.

    And powershell script

    Get-WmiObject -class ads_computer -namespace $namespace | fl ds_distinguishedName
    returns DN of all computers in network (I run it on test computer in OU "Workstations")

     

     

    мой блог - http://vvnet.ru
    Wednesday, September 29, 2010 9:45 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    May be I can use any variable like %copmutername% in wmi-query and use something like it:

    select * from ds_computer where (ds_distinguishedName like '%ou=Workstations%') and (ds_name = %computername%)

    ?

    Or join with other query from other namespace?

    мой блог - http://vvnet.ru
    Wednesday, September 29, 2010 9:51 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Hi,

    The WMI filter works fine in my test Domain. 

    What’s the result of the following command on your client:

    gwmi -namespace root\directory\LDAP -query "select ds_distinguishedName from ds_computer where ds_distinguishedName like '%ou= Workstations%'"

    Please help to collect the GPMC report for research. 

    On DC, open GPMC, right-click Group Policy Result, choose Group Policy Result Wizard, follow the wizard to collect a report of the Windows 7 system. When it finish, right-click in the right-panel, choose Save Report. If you would like other community member to analyze the report, upload the file to Windows Live SkyDrive (http://www.skydrive.live.com/), and paste the link here, if not, you can send the file to tfwst@microsoft.com (with this thread title or link in the email). 

    Thanks. 

    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, September 29, 2010 10:05 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    So my test computers:

    msk01an-it038d - windows 7, CN=msk01an-it038d,OU=Workstations,OU=Computers,OU=somename,DC=somedomain,DC=ru
    msk01an-it205v - windows XP, CN=msk01an-it205v,OU=Test,OU=Computers,OU=somename,DC=somedomain,DC=ru

    test policy - test123 (policy hides taskmanager from ctrl+alt+del screen)

    wmi filter on this policy - select * from ds_computer where ds_distinguishedName like '%ou=Test%'

    On both computers gwmi returns this:PS C:\Documents and Settings\adminyb> gwmi -namespace root\directory\LDAP -query "select ds_distinguishedName from ds_co
    mputer where ds_distinguishedName like '%ou=test%'"


    __GENUS              : 2
    __CLASS              : ds_computer
    __SUPERCLASS         :
    __DYNASTY            :
    __RELPATH            :
    __PROPERTY_COUNT     : 1
    __DERIVATION         : {}
    __SERVER             :
    __NAMESPACE          :
    __PATH               :
    DS_distinguishedName : CN=msk01an-it205v,OU=Test,OU=Computers,OU=somename,DC=somedomain,DC=ru

    __GENUS              : 2
    __CLASS              : ds_computer
    __SUPERCLASS         :
    __DYNASTY            :
    __RELPATH            :
    __PROPERTY_COUNT     : 1
    __DERIVATION         : {}
    __SERVER             :
    __NAMESPACE          :
    __PATH               :
    DS_distinguishedName : CN=msk01an-it206v,OU=Test,OU=Computers,OU=somename,DC=somedomain,DC=ru


    PS C:\Documents and Settings\adminyb>

     

    reports from gpmc i sent to email

     

     

    мой блог - http://vvnet.ru
    Wednesday, September 29, 2010 10:42 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Yes, you’re right. "select * from ds_computer where"  will return the same result on all clients without filter like ds_name = %computername%. However, %computername% cannot be used in WMI filter.

    Currently, we have two options:

    1. Create a MOF file and fill some information on client so that we can query these customized information form WMI filter.
    2. Change win32_operatingsystem properties, such as description and then use filter "select * from win32_operatingsystem where description like '%WMIFILTER%'". TOochange win32_operatingsystem’s properties, we can do it remotely via script or startup script.

    To create a MOF file, please refer to the following sample:

    =========================
    #pragma namespace ("\\\\.\\Root\\cimv2")

    instance of __Win32Provider as $PropProv
    {
     Name="RegPropProv";
     Clsid="{72967901-68EC-11d0-B729-00AA0062CBB7}";
    };

    instance of __PropertyProviderRegistration
    {
     Provider=$PropProv;
     SupportsPut = TRUE;
     SupportsGet = TRUE;
    };
    [DYNPROPS]
    class WMIFILTER
    {
         [key]string  Keyname="";
         string       ou;
         string       description;
    };
    [DYNPROPS]
    instance of WMIFILTER
    {
         KeyName="WMIfilter";
         [PropertyContext("local|HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion|currentou"), Dynamic, Provider("RegPropProv")] ou;
         [PropertyContext("local|HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion|currentdescription"),Dynamic, Provider("RegPropProv")] description; };
    =========================

    After the MOF file has been compiled on the client machines, a WMI filter can be used that looks like this in the root\cimv2 namespace:

    SELECT * FROM WMIFILTER WHERE ou="Ouname"

    WMI Helps Those Who Help Themselves
    http://msdn.microsoft.com/en-us/library/ms974554.aspx

    To change the properties, please refer to:

    $computer=gwmi win32_operatingsystem –computername "computername"
    $computer.description="WMIFILTER"
    $computer.put()

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Mervyn Zhang Friday, October 8, 2010 1:53 AM
    Thursday, September 30, 2010 2:29 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Oh, big thanks!

    I'l try to do it and answer after testing.

    мой блог - http://vvnet.ru
    Thursday, September 30, 2010 7:58 AM
  • Question
    Sign in to vote
    0
    Sign in to vote


    Waiting for your result. If there is anything we can do for you, please let us know.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, October 4, 2010 2:51 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    Did you get any chance to test the suggestions? If there is anything we can do for you, please let us know.

    Thanks.

    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, October 7, 2010 6:56 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello, I have done this Query and all running good, except the policy in computer configuration not applied, the user setting applied fine but the computer setting not applied,

     

    Anybody Know waht happend??

    TI
    Friday, September 30, 2011 9:43 AM