[gptalk] Re: Select statement calling Win32_Group in a WMI FIlter

  • From: "Cruz, Jerome L" <jerome.l.cruz@xxxxxxxxxx>
  • To: "gptalk@xxxxxxxxxxxxx" <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 23 May 2008 12:52:39 -0500

Darren,

A double-take here.  I could swear that the Group Policy sub-systems re-process 
a machine account's group membership when updating. The reason I say this is 
that I think I've observed a server device get a new set of policy 
settings--where a new GPO was filtered by a new security group the device was 
made a member of--without rebooting that device. When I manually checked the 
'memberships' the server device was in, I did 'not' see the updated group 
membership (until after manually rebooting it), but the new policy was indeed 
applying before rebooting. I just assumed that this was by design and didn't 
follow-up on it.

A 'design' to operate like this would make sense for Computer side settings, 
especially for server devices which are rarely rebooted. Looks like I'll have 
to re-test this explicitly. Like I said, I 'really' think I've seen this 
behavior. Feel free to test.

Jerry Cruz | Group Policies Product Manager | Windows Infrastructure 
Architecture (http://wia.web.boeing.com) | Boeing IT
Office 425-865-6755 | Mobile 425-591-6491

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Darren Mar-Elia
Sent: Friday, May 23, 2008 9:34 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter

Well, I'm looking at a system here and looking at Win32_Group is and what it
contains. It does not evaluate based on group membership at all. I think
what you are seeing is something different. For example, changing a
workstation's group membership would not affect GP processing just through a
gpupdate /force because a workstation's security token is not updated except
on reboot. So in any case the workstation would not register its new group
membership just through a gpupdate operation.


Darren

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of jfvanmeter@xxxxxxxxxxx
Sent: Friday, May 23, 2008 9:30 AM
To: gptalk@xxxxxxxxxxxxx; gptalk@xxxxxxxxxxxxx
Cc: Darren Mar-Elia
Subject: [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter

From what I've seen  if I remove the workstation from the group, and run
gpupdate /force on the workstat the gp is filtered out, if I put the
workstation back and run gpudate /force  its applied.

 I'm not sure why it works after trying the select statement I thought I was
going to have to define something like

select * from WIn32_Group Where Domain = "domainname" and User ' =
"joe.camel", my thought is that

I already have the group set up and I've used them in the past to steer
group policy, and the odds are I'm going to do that again, I was won't to
try something and learn alittle along the way ;)

--John


 -------------- Original message ----------------------
From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
> I think I see the issue here John. The query you have created is simply
> asking, "is there a group with a domain part of x and a name part of y".
> Win32_Group returns all groups found by the workstation that is in a
domain,
> including local workstation groups and domain groups. It does not
> differentiate based on which groups that workstation is a member of, so
the
> "True" you are getting is simply telling you that the group exists, not
that
> the workstation is a member of it.
>
> There are WMI "Association" classes like Win32_GroupUser that enumerate
all
> of the members of all groups in the domain but I don't think this is going
> to be a very efficient way to do group filtering, and frankly I am not
sure
> how you can form a select query on an Association class like this. I think
> this particular problem is not going to be solved via WMI Filtering.
>
> Darren
>
>
> -----Original Message-----
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
> Behalf Of Nelson, Jamie R
> Sent: Friday, May 23, 2008 7:49 AM
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter
>
> Win32_Group is not actually exposing membership; when you run that WQL
> statement you are actually only verifying that the group exists.
>
> Just use security filtering if you want to limit the application of
> entire GPO based on groups, OR you can also use the new item-level
> targeting in the GPP extensions to limit the application of specific
> settings in the same policy.
>
> Jamie Nelson | Systems Engineer | Systems Support, Information
> Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax
> 405.553.5687 | http://www.integrisok.com
>
> -----Original Message-----
> From: jfvanmeter@xxxxxxxxxxx [mailto:jfvanmeter@xxxxxxxxxxx]
> Sent: Friday, May 23, 2008 2:07 AM
> To: gptalk@xxxxxxxxxxxxx; gptalk@xxxxxxxxxxxxx
> Cc: Nelson, Jamie R
> Subject: Re: [gptalk] Re: Select statement calling Win32_Group in a WMI
> FIlter
>
> just trying to learn something
>
> --JOhn
>
>  -------------- Original message ----------------------
> From: "Nelson, Jamie R" <Jamie.Nelson@xxxxxxxxxxxxxxxxxxx>
> > Is there a particular reason you're not using Security Filtering?
> >
> > Jamie Nelson | Systems Engineer | Systems Support, Information
> > Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax
> > 405.553.5687 | http://www.integrisok.com
> >
> > -----Original Message-----
> > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> > On Behalf Of jfvanmeter@xxxxxxxxxxx
> > Sent: Thursday, May 22, 2008 12:14 PM
> > To: gpotalk
> > Subject: [gptalk] Select statement calling Win32_Group in a WMI FIlter
> >
> > Hello everyone, I'm trying to write a wmi filter that will apply group
> > policy based on group membership.  Lets say I have computer accounts
> are
> > all XP workstations  in two groups Group1 and Group2
> >
> > The following works
> >
> > select * from Win32_Group Where Domain = "Domainname" and Name =
> > "Group1" any computers that are a member of Group1 will recieve the
> > group policy that I have it linked to, any computer not a member of
> > Group1 the policy is filtered. I need the filter to use both Group1 or
> > Group2.
> >
> > I've tried to the following
> > 1 select * from Win32_Group Where Domain = "Domainname" and Name =
> > "Group1" or Name = "Group2"
> >
> > 2 select * from Win32_Group Where Domain = "Domainname" and Name =
> > "Group1"  or Domain = "Domainname" and Name = "Group2"
> >
> > 3 I've tried to seperate filters together
> > select * from Win32_Group Where Domain = "Domainname" and Name =
> > "Group1"
> > select * from Win32_Group Where Domain = "Domainname" and Name =
> > "Group2"
> >
> > With any of the above 3 GPResults shows the policy being filter when I
> > try to add the second group. If someone could point me in the right
> > direction that would be great.
> >
> > Take Care and Have Fun --John
> > ***********************
> > You can unsubscribe from gptalk by sending email to
> > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field
> OR
> > by logging into the freelists.org Web interface. Archives for the list
> > are available at http://www.freelists.org/archives/gptalk/
> > ************************
> >
> >
> > This e-mail may contain identifiable health information that is
> subject to
> > protection under state and federal law. This information is intended
> to be for
> > the use of the individual named above. If you are not the intended
> recipient, be
> > aware that any disclosure, copying, distribution or use of the
> contents of this
> > information is prohibited and may be punishable by law. If you have
> received
> > this electronic transmission in error, please notify us immediately by
>
> > electronic mail (reply).
> > ***********************
> > You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx
> > with 'unsubscribe' in the Subject field OR by logging into the
> freelists.org Web
> > interface. Archives for the list are available at
> > http://www.freelists.org/archives/gptalk/
> > ************************
>
>
>
> This e-mail may contain identifiable health information that is subject to
> protection under state and federal law. This information is intended to be
> for the use of the individual named above. If you are not the intended
> recipient, be aware that any disclosure, copying, distribution or use of
the
> contents of this information is prohibited and may be punishable by law.
If
> you have received this electronic transmission in error, please notify us
> immediately by electronic mail (reply).
> ***********************
> You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
> logging into the freelists.org Web interface. Archives for the list are
> available at http://www.freelists.org/archives/gptalk/
> ************************
>
> ***********************
> You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx
> with 'unsubscribe' in the Subject field OR by logging into the
freelists.org Web
> interface. Archives for the list are available at
> http://www.freelists.org/archives/gptalk/
> ************************

***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************
***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: