Active Directory 2008 : Managing Group Policy Scope (part 3) - WMI Filters, Enabling or Disabling GPOs and GPO Nodes

4. WMI Filters

Windows Management Instrumentation (WMI) is a management infrastructure technology that allows administrators to monitor and control managed objects in the network. A WMI query is capable of filtering systems based on characteristics, including RAM, processor speed, disk capacity, IP address, operating system version and service pack level, installed applications, and printer properties. Because WMI exposes almost every property of every object within a computer, the list of attributes that can be used in a WMI query is virtually unlimited. WMI queries are written using WMI Query Language (WQL).

You can use a WMI query to create a WMI filter, with which a GPO can be filtered. A good way to understand the purpose of a WMI filter, both for the certification exams and for real-world implementation, is through examples. Group Policy can be used to deploy software applications and service packs. You might create a GPO to deploy an application and then use a WMI filter to specify that the policy should apply only to computers with a certain operating system and service pack—Windows XP SP3, for example. The WMI query to identify such systems is:

Select * FROM Win32_OperatingSystem WHERE Caption="Microsoft
   Windows XP Professional" AND CSDVersion="Service Pack 3"

When the Group Policy Client evaluates GPOs that it has downloaded to determine which should be handed off to the CSEs for processing, it performs the query against the local system. If the system meets the criteria of the query, the query result is a logical True, and the CSEs will process the GPO.

WMI exposes namespaces, within which are classes that can be queried. Many useful classes, including Win32_Operating System, are found in a namespace called root\CIMv2.

To create a WMI filter:

To filter a GPO with a WMI filter:

A GPO can be filtered by only one WMI filter, but that WMI filter can be a complex query, using multiple criteria. A single WMI filter can be linked to, and thereby used to filter, one or more GPOs. The General tab of a WMI filter, shown in Figure 10, displays the GPOs that use the WMI filter.

Figure 10. A WMI filter

There are two significant caveats regarding WMI filters. First, the WQL syntax of WMI queries can be challenging to master. You can often find examples on the Internet if you search using the keywords WMI filter and WMI query along with a description of the query you want to create.

WMI filters are expensive in terms of Group Policy processing performance. Because the Group Policy Client must perform the WMI query at each policy processing interval, there is a slight impact on system performance every 90 to 120 minutes. With the performance of today’s computers, the impact might not be noticeable, but you should certainly test the effects of a WMI filter prior to deploying it widely in your production environment. The WMI query is only processed one time, even if it is used to filter the scope of multiple GPOs.

5. Enabling or Disabling GPOs and GPO Nodes

You can prevent the settings in the Computer Configuration or User Configuration nodes from being processed during policy refresh by changing GPO Status.

To enable or disable a GPO’s nodes, select the GPO or GPO link in the console tree; click the Details tab, shown in Figure 11; and then choose one of the following from the GPO Status drop-down list:

• Enabled Both computer configuration settings and user configuration settings will be processed by CSEs during policy refresh.

• All Settings Disabled CSEs will not process the GPO during policy refresh.

• Computer Configuration Settings Disabled During computer policy refresh, computer configuration settings in the GPO will not be applied. The GPO will not be processed during user policy refresh.

• User Configuration Settings Disabled During user policy refresh, user configuration settings in the GPO will not be applied. The GPO will not be processed during computer policy refresh.

You can configure GPO status to optimize policy processing. If a GPO contains only user settings, for example, setting the GPO Status option to disable computer settings prevents the Group Policy client from attempting to process the GPO during computer policy refresh. Because the GPO contains no computer settings, there is no need to process the GPO, and you can save a few cycles of the processor.

Note

USE DISABLED GPOS FOR DISASTER PREPAREDNESS

You can define a configuration that should take effect in case of an emergency, security incident, or other disaster in a GPO, and link the GPO so that it is scoped to appropriate users and computers. Then, disable the GPO. In the event that you require the configuration to be deployed, simply enable the GPO.

Figure 11. The Details tab of a GPO