[gptalk] Re: Select statement calling Win32_Group in a WMI FIlter
- From: jfvanmeter@xxxxxxxxxxx
- To: gptalk@xxxxxxxxxxxxx, <gptalk@xxxxxxxxxxxxx>
- Date: Fri, 23 May 2008 16:43:12 +0000
That's correct Darren I had to reboot the workstation for that to happen, and
I'm not sure why the select statement appears to work.
-------------- Original message ----------------------
From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
> Well, I'm looking at a system here and looking at Win32_Group is and what it
> contains. It does not evaluate based on group membership at all. I think
> what you are seeing is something different. For example, changing a
> workstation's group membership would not affect GP processing just through a
> gpupdate /force because a workstation's security token is not updated except
> on reboot. So in any case the workstation would not register its new group
> membership just through a gpupdate operation.
>
>
> Darren
>
> -----Original Message-----
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
> Behalf Of jfvanmeter@xxxxxxxxxxx
> Sent: Friday, May 23, 2008 9:30 AM
> To: gptalk@xxxxxxxxxxxxx; gptalk@xxxxxxxxxxxxx
> Cc: Darren Mar-Elia
> Subject: [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter
>
> From what I've seen if I remove the workstation from the group, and run
> gpupdate /force on the workstat the gp is filtered out, if I put the
> workstation back and run gpudate /force its applied.
>
> I'm not sure why it works after trying the select statement I thought I was
> going to have to define something like
>
> select * from WIn32_Group Where Domain = "domainname" and User ' =
> "joe.camel", my thought is that
>
> I already have the group set up and I've used them in the past to steer
> group policy, and the odds are I'm going to do that again, I was won't to
> try something and learn alittle along the way ;)
>
> --John
>
>
> -------------- Original message ----------------------
> From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
> > I think I see the issue here John. The query you have created is simply
> > asking, "is there a group with a domain part of x and a name part of y".
> > Win32_Group returns all groups found by the workstation that is in a
> domain,
> > including local workstation groups and domain groups. It does not
> > differentiate based on which groups that workstation is a member of, so
> the
> > "True" you are getting is simply telling you that the group exists, not
> that
> > the workstation is a member of it.
> >
> > There are WMI "Association" classes like Win32_GroupUser that enumerate
> all
> > of the members of all groups in the domain but I don't think this is going
> > to be a very efficient way to do group filtering, and frankly I am not
> sure
> > how you can form a select query on an Association class like this. I think
> > this particular problem is not going to be solved via WMI Filtering.
> >
> > Darren
> >
> >
> > -----Original Message-----
> > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
> > Behalf Of Nelson, Jamie R
> > Sent: Friday, May 23, 2008 7:49 AM
> > To: gptalk@xxxxxxxxxxxxx
> > Subject: [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter
> >
> > Win32_Group is not actually exposing membership; when you run that WQL
> > statement you are actually only verifying that the group exists.
> >
> > Just use security filtering if you want to limit the application of
> > entire GPO based on groups, OR you can also use the new item-level
> > targeting in the GPP extensions to limit the application of specific
> > settings in the same policy.
> >
> > Jamie Nelson | Systems Engineer | Systems Support, Information
> > Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax
> > 405.553.5687 | http://www.integrisok.com
> >
> > -----Original Message-----
> > From: jfvanmeter@xxxxxxxxxxx [mailto:jfvanmeter@xxxxxxxxxxx]
> > Sent: Friday, May 23, 2008 2:07 AM
> > To: gptalk@xxxxxxxxxxxxx; gptalk@xxxxxxxxxxxxx
> > Cc: Nelson, Jamie R
> > Subject: Re: [gptalk] Re: Select statement calling Win32_Group in a WMI
> > FIlter
> >
> > just trying to learn something
> >
> > --JOhn
> >
> > -------------- Original message ----------------------
> > From: "Nelson, Jamie R" <Jamie.Nelson@xxxxxxxxxxxxxxxxxxx>
> > > Is there a particular reason you're not using Security Filtering?
> > >
> > > Jamie Nelson | Systems Engineer | Systems Support, Information
> > > Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax
> > > 405.553.5687 | http://www.integrisok.com
> > >
> > > -----Original Message-----
> > > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of jfvanmeter@xxxxxxxxxxx
> > > Sent: Thursday, May 22, 2008 12:14 PM
> > > To: gpotalk
> > > Subject: [gptalk] Select statement calling Win32_Group in a WMI FIlter
> > >
> > > Hello everyone, I'm trying to write a wmi filter that will apply group
> > > policy based on group membership. Lets say I have computer accounts
> > are
> > > all XP workstations in two groups Group1 and Group2
> > >
> > > The following works
> > >
> > > select * from Win32_Group Where Domain = "Domainname" and Name =
> > > "Group1" any computers that are a member of Group1 will recieve the
> > > group policy that I have it linked to, any computer not a member of
> > > Group1 the policy is filtered. I need the filter to use both Group1 or
> > > Group2.
> > >
> > > I've tried to the following
> > > 1 select * from Win32_Group Where Domain = "Domainname" and Name =
> > > "Group1" or Name = "Group2"
> > >
> > > 2 select * from Win32_Group Where Domain = "Domainname" and Name =
> > > "Group1" or Domain = "Domainname" and Name = "Group2"
> > >
> > > 3 I've tried to seperate filters together
> > > select * from Win32_Group Where Domain = "Domainname" and Name =
> > > "Group1"
> > > select * from Win32_Group Where Domain = "Domainname" and Name =
> > > "Group2"
> > >
> > > With any of the above 3 GPResults shows the policy being filter when I
> > > try to add the second group. If someone could point me in the right
> > > direction that would be great.
> > >
> > > Take Care and Have Fun --John
> > > ***********************
> > > You can unsubscribe from gptalk by sending email to
> > > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field
> > OR
> > > by logging into the freelists.org Web interface. Archives for the list
> > > are available at http://www.freelists.org/archives/gptalk/
> > > ************************
> > >
> > >
> > > This e-mail may contain identifiable health information that is
> > subject to
> > > protection under state and federal law. This information is intended
> > to be for
> > > the use of the individual named above. If you are not the intended
> > recipient, be
> > > aware that any disclosure, copying, distribution or use of the
> > contents of this
> > > information is prohibited and may be punishable by law. If you have
> > received
> > > this electronic transmission in error, please notify us immediately by
> >
> > > electronic mail (reply).
> > > ***********************
> > > You can unsubscribe from gptalk by sending email to
> > gptalk-request@xxxxxxxxxxxxx
> > > with 'unsubscribe' in the Subject field OR by logging into the
> > freelists.org Web
> > > interface. Archives for the list are available at
> > > http://www.freelists.org/archives/gptalk/
> > > ************************
> >
> >
> >
> > This e-mail may contain identifiable health information that is subject to
> > protection under state and federal law. This information is intended to be
> > for the use of the individual named above. If you are not the intended
> > recipient, be aware that any disclosure, copying, distribution or use of
> the
> > contents of this information is prohibited and may be punishable by law.
> If
> > you have received this electronic transmission in error, please notify us
> > immediately by electronic mail (reply).
> > ***********************
> > You can unsubscribe from gptalk by sending email to
> > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
> > logging into the freelists.org Web interface. Archives for the list are
> > available at http://www.freelists.org/archives/gptalk/
> > ************************
> >
> > ***********************
> > You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx
> > with 'unsubscribe' in the Subject field OR by logging into the
> freelists.org Web
> > interface. Archives for the list are available at
> > http://www.freelists.org/archives/gptalk/
> > ************************
>
> ***********************
> You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
> logging into the freelists.org Web interface. Archives for the list are
> available at http://www.freelists.org/archives/gptalk/
> ************************
>
> ***********************
> You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx
> with 'unsubscribe' in the Subject field OR by logging into the freelists.org
> Web
> interface. Archives for the list are available at
> http://www.freelists.org/archives/gptalk/
> ************************
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************
Other related posts: