[gptalk] Re: WMI FILTERS

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 8 Jun 2007 08:10:02 -0700

Yep, it's come up before. It's a reasonable approach if you have to
absolutely have to have WMI-type filter behavior on Win2K but it's a little
convoluted to manage. In any case, I've heard from others that it works so
that's not all bad J

 

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Mills, Mark
Sent: Friday, June 08, 2007 8:06 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: WMI FILTERS 

 

I stumbled on this just last week -   Yes the Russian site freaked me out
too, use at your own risk.  Work around for WMI and Windows 2000: 

 <http://www.mml.ru/WMIF2K/Default.htm> http://www.mml.ru/WMIF2K/Default.htm

WMI Filtering for Windows 2000

     

Introduction

Windows XP and Windows Server 2003 include a new feature, WMI Filtering of
Group Policy Objects. This feature allows to selectively apply a Group
Policy object based on the result of a WMI query. For example, a GPO may be
applied only to computers that have Windows XP SP1 installed.

Although WMI Filtering does not require Windows Server 2003 on domain
controllers, it is only available to Windows XP or later clients. Windows
2000 clients just ignore WMI Filters and apply the GPO regardless of the WMI
query result.

The purpose of WMI Filtering for Windows 2000 is to emulate WMI Filtering
for domains that have a significant number of Windows 2000 client and server
installations without the need to upgrade to Windows XP and Windows Server
2003.

WMI Filtering for Windows 2000 features and limitations

WMI Filtering for Windows 2000 emulates the effect of WMI Filtering for
computer accounts running Windows 2000 and later OS. Filtering for user
accounts is not implemented in this release.

WMI Filtering for Windows 2000 maintains Active Directory security groups
that contain computer accounts matching the criteria specified in the WMI
queries. One or more queries are supported for each filter. Group Policy
objects are then applied to these security groups, using the features
compatible with Windows 2000 client systems.

Unlike Group Policy application, the filter processing is performed during
client system startup and/or shutdown. This may effectively limit usefulness
of WMI Filtering for Windows 2000 in some scenarios. However, if WMI queries
are used for tasks like software installation (that is only performed during
system startup) this limitation will not be significant.

To use WMI Filtering for Windows 2000 a working knowledge of Active
Directory, Group Policy and WMI is required.

Go to the link above for the rest of the documentation..

 <http://www.mml.ru/WMIF2K/Default.htm> http://www.mml.ru/WMIF2K/Default.htm

Mark Mills 

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: June 08, 2007 9:25 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: WMI FILTERS

Graham-

You're correct. GPMC focused on 2000 domain that is not ADPrepped will not

present WMI filters as an option and, though I haven't tested it

specifically, it should just show up when you do update the schema.

Darren

-----Original Message-----

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On

Behalf Of Graham Turner

Sent: Friday, June 08, 2007 2:00 AM

To: gptalk@xxxxxxxxxxxxx

Subject: [gptalk] Re: WMI FILTERS

Thanks both for mail replies.

Would i be right to say that this would explain why, using GPMC on a Windows

2003

server , but in a Windows 2000 domain that has not been AD'prepped, i do not

see the

WMI filters underneath the domain 'branch' ?

by corollary do i then need to do anything to the GPMC configuration after

ADPREP is

applied ?

or does GPMC somehow query the directory on startup ??

Thanks

 

> I suspect you are correct about only needing ADPrep Omar, since the only

server-side

> GP pieces of WMI Filters are one or two new AD classes and some attribs.

And you are

> correct that only XP/2003 and above will process filters. Additionally,

even if you

> update the 2000 schema, you can only define and link them using

XP/2003/Vista.

> 

> Darren

> 

> -----Original Message-----

> From: "Omar Droubi" <omar@xxxxxxxxxxxxxxxxxxxxx>

> To: gptalk@xxxxxxxxxxxxx

> Sent: 6/7/2007 3:33 PM

> Subject: [gptalk] Re: WMI FILTERS

> 

> Looks like you only need to run the Windows 2003 Adprep on a w2k domain

> and you don't even need w2k3 domain controllers.

> 

> I do think that wmi filters will only be processed on XP and w2k3

> systems on the network- but you may have to clarity from the GPO guy

> himself on that one.

> 

> Omar

> 

> http://technet2.microsoft.com/windowsserver/en/library/dfba1dc6-6848-4ed

> 8-96da-f4241c1acfbd1033.mspx?mfr=true

> 

> 

> -----Original Message-----

> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]

> On Behalf Of Graham Turner

> Sent: Thursday, June 07, 2007 11:46 AM

> To: gptalk@xxxxxxxxxxxxx

> Subject: [gptalk] WMI FILTERS

> 

> Hopefully this one is a quick 'yes or no'

> 

> is it right that WMI filters are only available if the domain is such

> that at least

> one DC is at Windows 2003, and as such not available to a Windows 2000

> only domain ?

> 

> G

> 

> 

> 

> 

> ***********************

> You can unsubscribe from gptalk by sending email to

> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR

> by logging into the freelists.org Web interface. Archives for the list

> are available at http://www.freelists.org/archives/gptalk/

> ************************

> ***********************

> You can unsubscribe from gptalk by sending email to

gptalk-request@xxxxxxxxxxxxx

> with 'unsubscribe' in the Subject field OR by logging into the

freelists.org Web

> interface. Archives for the list are available at

> http://www.freelists.org/archives/gptalk/

> ************************

> 

> ***********************

> You can unsubscribe from gptalk by sending email to

gptalk-request@xxxxxxxxxxxxx

> with 'unsubscribe' in the Subject field OR by logging into the

freelists.org Web

> interface. Archives for the list are available at

> http://www.freelists.org/archives/gptalk/

> ************************

> 

 

***********************

You can unsubscribe from gptalk by sending email to

gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by

logging into the freelists.org Web interface. Archives for the list are

available at http://www.freelists.org/archives/gptalk/

************************

***********************

You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/

************************

Other related posts: