That's correct Darren I had to reboot the workstation for that to happen, and I'm not sure why the select statement appears to work. -------------- Original message ---------------------- From: "Darren Mar-Elia" <darren@xxxxxxxxxx> > Well, I'm looking at a system here and looking at Win32_Group is and what it > contains. It does not evaluate based on group membership at all. I think > what you are seeing is something different. For example, changing a > workstation's group membership would not affect GP processing just through a > gpupdate /force because a workstation's security token is not updated except > on reboot. So in any case the workstation would not register its new group > membership just through a gpupdate operation. > > > Darren > > -----Original Message----- > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On > Behalf Of jfvanmeter@xxxxxxxxxxx > Sent: Friday, May 23, 2008 9:30 AM > To: gptalk@xxxxxxxxxxxxx; gptalk@xxxxxxxxxxxxx > Cc: Darren Mar-Elia > Subject: [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter > > From what I've seen if I remove the workstation from the group, and run > gpupdate /force on the workstat the gp is filtered out, if I put the > workstation back and run gpudate /force its applied. > > I'm not sure why it works after trying the select statement I thought I was > going to have to define something like > > select * from WIn32_Group Where Domain = "domainname" and User ' = > "joe.camel", my thought is that > > I already have the group set up and I've used them in the past to steer > group policy, and the odds are I'm going to do that again, I was won't to > try something and learn alittle along the way ;) > > --John > > > -------------- Original message ---------------------- > From: "Darren Mar-Elia" <darren@xxxxxxxxxx> > > I think I see the issue here John. The query you have created is simply > > asking, "is there a group with a domain part of x and a name part of y". > > Win32_Group returns all groups found by the workstation that is in a > domain, > > including local workstation groups and domain groups. It does not > > differentiate based on which groups that workstation is a member of, so > the > > "True" you are getting is simply telling you that the group exists, not > that > > the workstation is a member of it. > > > > There are WMI "Association" classes like Win32_GroupUser that enumerate > all > > of the members of all groups in the domain but I don't think this is going > > to be a very efficient way to do group filtering, and frankly I am not > sure > > how you can form a select query on an Association class like this. I think > > this particular problem is not going to be solved via WMI Filtering. > > > > Darren > > > > > > -----Original Message----- > > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On > > Behalf Of Nelson, Jamie R > > Sent: Friday, May 23, 2008 7:49 AM > > To: gptalk@xxxxxxxxxxxxx > > Subject: [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter > > > > Win32_Group is not actually exposing membership; when you run that WQL > > statement you are actually only verifying that the group exists. > > > > Just use security filtering if you want to limit the application of > > entire GPO based on groups, OR you can also use the new item-level > > targeting in the GPP extensions to limit the application of specific > > settings in the same policy. > > > > Jamie Nelson | Systems Engineer | Systems Support, Information > > Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax > > 405.553.5687 | http://www.integrisok.com > > > > -----Original Message----- > > From: jfvanmeter@xxxxxxxxxxx [mailto:jfvanmeter@xxxxxxxxxxx] > > Sent: Friday, May 23, 2008 2:07 AM > > To: gptalk@xxxxxxxxxxxxx; gptalk@xxxxxxxxxxxxx > > Cc: Nelson, Jamie R > > Subject: Re: [gptalk] Re: Select statement calling Win32_Group in a WMI > > FIlter > > > > just trying to learn something > > > > --JOhn > > > > -------------- Original message ---------------------- > > From: "Nelson, Jamie R" <Jamie.Nelson@xxxxxxxxxxxxxxxxxxx> > > > Is there a particular reason you're not using Security Filtering? > > > > > > Jamie Nelson | Systems Engineer | Systems Support, Information > > > Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax > > > 405.553.5687 | http://www.integrisok.com > > > > > > -----Original Message----- > > > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] > > > On Behalf Of jfvanmeter@xxxxxxxxxxx > > > Sent: Thursday, May 22, 2008 12:14 PM > > > To: gpotalk > > > Subject: [gptalk] Select statement calling Win32_Group in a WMI FIlter > > > > > > Hello everyone, I'm trying to write a wmi filter that will apply group > > > policy based on group membership. Lets say I have computer accounts > > are > > > all XP workstations in two groups Group1 and Group2 > > > > > > The following works > > > > > > select * from Win32_Group Where Domain = "Domainname" and Name = > > > "Group1" any computers that are a member of Group1 will recieve the > > > group policy that I have it linked to, any computer not a member of > > > Group1 the policy is filtered. I need the filter to use both Group1 or > > > Group2. > > > > > > I've tried to the following > > > 1 select * from Win32_Group Where Domain = "Domainname" and Name = > > > "Group1" or Name = "Group2" > > > > > > 2 select * from Win32_Group Where Domain = "Domainname" and Name = > > > "Group1" or Domain = "Domainname" and Name = "Group2" > > > > > > 3 I've tried to seperate filters together > > > select * from Win32_Group Where Domain = "Domainname" and Name = > > > "Group1" > > > select * from Win32_Group Where Domain = "Domainname" and Name = > > > "Group2" > > > > > > With any of the above 3 GPResults shows the policy being filter when I > > > try to add the second group. If someone could point me in the right > > > direction that would be great. > > > > > > Take Care and Have Fun --John > > > *********************** > > > You can unsubscribe from gptalk by sending email to > > > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field > > OR > > > by logging into the freelists.org Web interface. Archives for the list > > > are available at //www.freelists.org/archives/gptalk/ > > > ************************ > > > > > > > > > This e-mail may contain identifiable health information that is > > subject to > > > protection under state and federal law. This information is intended > > to be for > > > the use of the individual named above. If you are not the intended > > recipient, be > > > aware that any disclosure, copying, distribution or use of the > > contents of this > > > information is prohibited and may be punishable by law. If you have > > received > > > this electronic transmission in error, please notify us immediately by > > > > > electronic mail (reply). > > > *********************** > > > You can unsubscribe from gptalk by sending email to > > gptalk-request@xxxxxxxxxxxxx > > > with 'unsubscribe' in the Subject field OR by logging into the > > freelists.org Web > > > interface. Archives for the list are available at > > > //www.freelists.org/archives/gptalk/ > > > ************************ > > > > > > > > This e-mail may contain identifiable health information that is subject to > > protection under state and federal law. This information is intended to be > > for the use of the individual named above. If you are not the intended > > recipient, be aware that any disclosure, copying, distribution or use of > the > > contents of this information is prohibited and may be punishable by law. > If > > you have received this electronic transmission in error, please notify us > > immediately by electronic mail (reply). > > *********************** > > You can unsubscribe from gptalk by sending email to > > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by > > logging into the freelists.org Web interface. Archives for the list are > > available at //www.freelists.org/archives/gptalk/ > > ************************ > > > > *********************** > > You can unsubscribe from gptalk by sending email to > gptalk-request@xxxxxxxxxxxxx > > with 'unsubscribe' in the Subject field OR by logging into the > freelists.org Web > > interface. Archives for the list are available at > > //www.freelists.org/archives/gptalk/ > > ************************ > > *********************** > You can unsubscribe from gptalk by sending email to > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by > logging into the freelists.org Web interface. Archives for the list are > available at //www.freelists.org/archives/gptalk/ > ************************ > > *********************** > You can unsubscribe from gptalk by sending email to > gptalk-request@xxxxxxxxxxxxx > with 'unsubscribe' in the Subject field OR by logging into the freelists.org > Web > interface. Archives for the list are available at > //www.freelists.org/archives/gptalk/ > ************************ *********************** You can unsubscribe from gptalk by sending email to gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by logging into the freelists.org Web interface. Archives for the list are available at //www.freelists.org/archives/gptalk/ ************************