[gptalk] Re: Select statement calling Win32_Group in a WMI FIlter

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 23 May 2008 08:35:59 -0700

I think I see the issue here John. The query you have created is simply
asking, "is there a group with a domain part of x and a name part of y".
Win32_Group returns all groups found by the workstation that is in a domain,
including local workstation groups and domain groups. It does not
differentiate based on which groups that workstation is a member of, so the
"True" you are getting is simply telling you that the group exists, not that
the workstation is a member of it.

There are WMI "Association" classes like Win32_GroupUser that enumerate all
of the members of all groups in the domain but I don't think this is going
to be a very efficient way to do group filtering, and frankly I am not sure
how you can form a select query on an Association class like this. I think
this particular problem is not going to be solved via WMI Filtering.

Darren


-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Nelson, Jamie R
Sent: Friday, May 23, 2008 7:49 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter

Win32_Group is not actually exposing membership; when you run that WQL
statement you are actually only verifying that the group exists.

Just use security filtering if you want to limit the application of
entire GPO based on groups, OR you can also use the new item-level
targeting in the GPP extensions to limit the application of specific
settings in the same policy.

Jamie Nelson | Systems Engineer | Systems Support, Information
Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax
405.553.5687 | http://www.integrisok.com

-----Original Message-----
From: jfvanmeter@xxxxxxxxxxx [mailto:jfvanmeter@xxxxxxxxxxx] 
Sent: Friday, May 23, 2008 2:07 AM
To: gptalk@xxxxxxxxxxxxx; gptalk@xxxxxxxxxxxxx
Cc: Nelson, Jamie R
Subject: Re: [gptalk] Re: Select statement calling Win32_Group in a WMI
FIlter

just trying to learn something

--JOhn

 -------------- Original message ----------------------
From: "Nelson, Jamie R" <Jamie.Nelson@xxxxxxxxxxxxxxxxxxx>
> Is there a particular reason you're not using Security Filtering?
> 
> Jamie Nelson | Systems Engineer | Systems Support, Information
> Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax
> 405.553.5687 | http://www.integrisok.com
> 
> -----Original Message-----
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> On Behalf Of jfvanmeter@xxxxxxxxxxx
> Sent: Thursday, May 22, 2008 12:14 PM
> To: gpotalk
> Subject: [gptalk] Select statement calling Win32_Group in a WMI FIlter
> 
> Hello everyone, I'm trying to write a wmi filter that will apply group
> policy based on group membership.  Lets say I have computer accounts
are
> all XP workstations  in two groups Group1 and Group2
> 
> The following works
> 
> select * from Win32_Group Where Domain = "Domainname" and Name =
> "Group1" any computers that are a member of Group1 will recieve the
> group policy that I have it linked to, any computer not a member of
> Group1 the policy is filtered. I need the filter to use both Group1 or
> Group2.
> 
> I've tried to the following
> 1 select * from Win32_Group Where Domain = "Domainname" and Name =
> "Group1" or Name = "Group2"
> 
> 2 select * from Win32_Group Where Domain = "Domainname" and Name =
> "Group1"  or Domain = "Domainname" and Name = "Group2"
> 
> 3 I've tried to seperate filters together
> select * from Win32_Group Where Domain = "Domainname" and Name =
> "Group1"
> select * from Win32_Group Where Domain = "Domainname" and Name =
> "Group2"
> 
> With any of the above 3 GPResults shows the policy being filter when I
> try to add the second group. If someone could point me in the right
> direction that would be great.
> 
> Take Care and Have Fun --John
> ***********************
> You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field
OR
> by logging into the freelists.org Web interface. Archives for the list
> are available at http://www.freelists.org/archives/gptalk/
> ************************
> 
> 
> This e-mail may contain identifiable health information that is
subject to 
> protection under state and federal law. This information is intended
to be for 
> the use of the individual named above. If you are not the intended
recipient, be 
> aware that any disclosure, copying, distribution or use of the
contents of this 
> information is prohibited and may be punishable by law. If you have
received 
> this electronic transmission in error, please notify us immediately by

> electronic mail (reply).
> ***********************
> You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx 
> with 'unsubscribe' in the Subject field OR by logging into the
freelists.org Web 
> interface. Archives for the list are available at 
> http://www.freelists.org/archives/gptalk/
> ************************



This e-mail may contain identifiable health information that is subject to
protection under state and federal law. This information is intended to be
for the use of the individual named above. If you are not the intended
recipient, be aware that any disclosure, copying, distribution or use of the
contents of this information is prohibited and may be punishable by law. If
you have received this electronic transmission in error, please notify us
immediately by electronic mail (reply).
***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: