Darren, A double-take here. I could swear that the Group Policy sub-systems re-process a machine account's group membership when updating. The reason I say this is that I think I've observed a server device get a new set of policy settings--where a new GPO was filtered by a new security group the device was made a member of--without rebooting that device. When I manually checked the 'memberships' the server device was in, I did 'not' see the updated group membership (until after manually rebooting it), but the new policy was indeed applying before rebooting. I just assumed that this was by design and didn't follow-up on it. A 'design' to operate like this would make sense for Computer side settings, especially for server devices which are rarely rebooted. Looks like I'll have to re-test this explicitly. Like I said, I 'really' think I've seen this behavior. Feel free to test. Jerry Cruz | Group Policies Product Manager | Windows Infrastructure Architecture (http://wia.web.boeing.com) | Boeing IT Office 425-865-6755 | Mobile 425-591-6491 -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Friday, May 23, 2008 9:34 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter Well, I'm looking at a system here and looking at Win32_Group is and what it contains. It does not evaluate based on group membership at all. I think what you are seeing is something different. For example, changing a workstation's group membership would not affect GP processing just through a gpupdate /force because a workstation's security token is not updated except on reboot. So in any case the workstation would not register its new group membership just through a gpupdate operation. Darren -----Original Message----- From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of jfvanmeter@xxxxxxxxxxx Sent: Friday, May 23, 2008 9:30 AM To: gptalk@xxxxxxxxxxxxx; gptalk@xxxxxxxxxxxxx Cc: Darren Mar-Elia Subject: [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter From what I've seen if I remove the workstation from the group, and run gpupdate /force on the workstat the gp is filtered out, if I put the workstation back and run gpudate /force its applied. I'm not sure why it works after trying the select statement I thought I was going to have to define something like select * from WIn32_Group Where Domain = "domainname" and User ' = "joe.camel", my thought is that I already have the group set up and I've used them in the past to steer group policy, and the odds are I'm going to do that again, I was won't to try something and learn alittle along the way ;) --John -------------- Original message ---------------------- From: "Darren Mar-Elia" <darren@xxxxxxxxxx> > I think I see the issue here John. The query you have created is simply > asking, "is there a group with a domain part of x and a name part of y". > Win32_Group returns all groups found by the workstation that is in a domain, > including local workstation groups and domain groups. It does not > differentiate based on which groups that workstation is a member of, so the > "True" you are getting is simply telling you that the group exists, not that > the workstation is a member of it. > > There are WMI "Association" classes like Win32_GroupUser that enumerate all > of the members of all groups in the domain but I don't think this is going > to be a very efficient way to do group filtering, and frankly I am not sure > how you can form a select query on an Association class like this. I think > this particular problem is not going to be solved via WMI Filtering. > > Darren > > > -----Original Message----- > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On > Behalf Of Nelson, Jamie R > Sent: Friday, May 23, 2008 7:49 AM > To: gptalk@xxxxxxxxxxxxx > Subject: [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter > > Win32_Group is not actually exposing membership; when you run that WQL > statement you are actually only verifying that the group exists. > > Just use security filtering if you want to limit the application of > entire GPO based on groups, OR you can also use the new item-level > targeting in the GPP extensions to limit the application of specific > settings in the same policy. > > Jamie Nelson | Systems Engineer | Systems Support, Information > Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax > 405.553.5687 | http://www.integrisok.com > > -----Original Message----- > From: jfvanmeter@xxxxxxxxxxx [mailto:jfvanmeter@xxxxxxxxxxx] > Sent: Friday, May 23, 2008 2:07 AM > To: gptalk@xxxxxxxxxxxxx; gptalk@xxxxxxxxxxxxx > Cc: Nelson, Jamie R > Subject: Re: [gptalk] Re: Select statement calling Win32_Group in a WMI > FIlter > > just trying to learn something > > --JOhn > > -------------- Original message ---------------------- > From: "Nelson, Jamie R" <Jamie.Nelson@xxxxxxxxxxxxxxxxxxx> > > Is there a particular reason you're not using Security Filtering? > > > > Jamie Nelson | Systems Engineer | Systems Support, Information > > Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax > > 405.553.5687 | http://www.integrisok.com > > > > -----Original Message----- > > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] > > On Behalf Of jfvanmeter@xxxxxxxxxxx > > Sent: Thursday, May 22, 2008 12:14 PM > > To: gpotalk > > Subject: [gptalk] Select statement calling Win32_Group in a WMI FIlter > > > > Hello everyone, I'm trying to write a wmi filter that will apply group > > policy based on group membership. Lets say I have computer accounts > are > > all XP workstations in two groups Group1 and Group2 > > > > The following works > > > > select * from Win32_Group Where Domain = "Domainname" and Name = > > "Group1" any computers that are a member of Group1 will recieve the > > group policy that I have it linked to, any computer not a member of > > Group1 the policy is filtered. I need the filter to use both Group1 or > > Group2. > > > > I've tried to the following > > 1 select * from Win32_Group Where Domain = "Domainname" and Name = > > "Group1" or Name = "Group2" > > > > 2 select * from Win32_Group Where Domain = "Domainname" and Name = > > "Group1" or Domain = "Domainname" and Name = "Group2" > > > > 3 I've tried to seperate filters together > > select * from Win32_Group Where Domain = "Domainname" and Name = > > "Group1" > > select * from Win32_Group Where Domain = "Domainname" and Name = > > "Group2" > > > > With any of the above 3 GPResults shows the policy being filter when I > > try to add the second group. If someone could point me in the right > > direction that would be great. > > > > Take Care and Have Fun --John > > *********************** > > You can unsubscribe from gptalk by sending email to > > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field > OR > > by logging into the freelists.org Web interface. Archives for the list > > are available at //www.freelists.org/archives/gptalk/ > > ************************ > > > > > > This e-mail may contain identifiable health information that is > subject to > > protection under state and federal law. This information is intended > to be for > > the use of the individual named above. If you are not the intended > recipient, be > > aware that any disclosure, copying, distribution or use of the > contents of this > > information is prohibited and may be punishable by law. If you have > received > > this electronic transmission in error, please notify us immediately by > > > electronic mail (reply). > > *********************** > > You can unsubscribe from gptalk by sending email to > gptalk-request@xxxxxxxxxxxxx > > with 'unsubscribe' in the Subject field OR by logging into the > freelists.org Web > > interface. Archives for the list are available at > > //www.freelists.org/archives/gptalk/ > > ************************ > > > > This e-mail may contain identifiable health information that is subject to > protection under state and federal law. This information is intended to be > for the use of the individual named above. If you are not the intended > recipient, be aware that any disclosure, copying, distribution or use of the > contents of this information is prohibited and may be punishable by law. If > you have received this electronic transmission in error, please notify us > immediately by electronic mail (reply). > *********************** > You can unsubscribe from gptalk by sending email to > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by > logging into the freelists.org Web interface. Archives for the list are > available at //www.freelists.org/archives/gptalk/ > ************************ > > *********************** > You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx > with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web > interface. Archives for the list are available at > //www.freelists.org/archives/gptalk/ > ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************