[gptalk] Re: Select statement calling Win32_Group in a WMI FIlter

• From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
• To: <gptalk@xxxxxxxxxxxxx>
• Date: Fri, 23 May 2008 09:33:59 -0700

Well, I'm looking at a system here and looking at Win32_Group is and what it
contains. It does not evaluate based on group membership at all. I think
what you are seeing is something different. For example, changing a
workstation's group membership would not affect GP processing just through a
gpupdate /force because a workstation's security token is not updated except
on reboot. So in any case the workstation would not register its new group
membership just through a gpupdate operation. 


Darren

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of jfvanmeter@xxxxxxxxxxx
Sent: Friday, May 23, 2008 9:30 AM
To: gptalk@xxxxxxxxxxxxx; gptalk@xxxxxxxxxxxxx
Cc: Darren Mar-Elia
Subject: [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter

From what I've seen  if I remove the workstation from the group, and run
gpupdate /force on the workstat the gp is filtered out, if I put the
workstation back and run gpudate /force  its applied.

 I'm not sure why it works after trying the select statement I thought I was
going to have to define something like

select * from WIn32_Group Where Domain = "domainname" and User ' =
"joe.camel", my thought is that 

I already have the group set up and I've used them in the past to steer
group policy, and the odds are I'm going to do that again, I was won't to
try something and learn alittle along the way ;)

--John


 -------------- Original message ----------------------
From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
> I think I see the issue here John. The query you have created is simply
> asking, "is there a group with a domain part of x and a name part of y".
> Win32_Group returns all groups found by the workstation that is in a
domain,
> including local workstation groups and domain groups. It does not
> differentiate based on which groups that workstation is a member of, so
the
> "True" you are getting is simply telling you that the group exists, not
that
> the workstation is a member of it.
> 
> There are WMI "Association" classes like Win32_GroupUser that enumerate
all
> of the members of all groups in the domain but I don't think this is going
> to be a very efficient way to do group filtering, and frankly I am not
sure
> how you can form a select query on an Association class like this. I think
> this particular problem is not going to be solved via WMI Filtering.
> 
> Darren
> 
> 
> -----Original Message-----
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
> Behalf Of Nelson, Jamie R
> Sent: Friday, May 23, 2008 7:49 AM
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter
> 
> Win32_Group is not actually exposing membership; when you run that WQL
> statement you are actually only verifying that the group exists.
> 
> Just use security filtering if you want to limit the application of
> entire GPO based on groups, OR you can also use the new item-level
> targeting in the GPP extensions to limit the application of specific
> settings in the same policy.
> 
> Jamie Nelson | Systems Engineer | Systems Support, Information
> Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax
> 405.553.5687 | http://www.integrisok.com
> 
> -----Original Message-----
> From: jfvanmeter@xxxxxxxxxxx [mailto:jfvanmeter@xxxxxxxxxxx] 
> Sent: Friday, May 23, 2008 2:07 AM
> To: gptalk@xxxxxxxxxxxxx; gptalk@xxxxxxxxxxxxx
> Cc: Nelson, Jamie R
> Subject: Re: [gptalk] Re: Select statement calling Win32_Group in a WMI
> FIlter
> 
> just trying to learn something
> 
> --JOhn
> 
>  -------------- Original message ----------------------
> From: "Nelson, Jamie R" <Jamie.Nelson@xxxxxxxxxxxxxxxxxxx>
> > Is there a particular reason you're not using Security Filtering?
> > 
> > Jamie Nelson | Systems Engineer | Systems Support, Information
> > Technology | I N T E G R I S Health | Phone 405.552.0903 | Fax
> > 405.553.5687 | http://www.integrisok.com
> > 
> > -----Original Message-----
> > From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
> > On Behalf Of jfvanmeter@xxxxxxxxxxx
> > Sent: Thursday, May 22, 2008 12:14 PM
> > To: gpotalk
> > Subject: [gptalk] Select statement calling Win32_Group in a WMI FIlter
> > 
> > Hello everyone, I'm trying to write a wmi filter that will apply group
> > policy based on group membership.  Lets say I have computer accounts
> are
> > all XP workstations  in two groups Group1 and Group2
> > 
> > The following works
> > 
> > select * from Win32_Group Where Domain = "Domainname" and Name =
> > "Group1" any computers that are a member of Group1 will recieve the
> > group policy that I have it linked to, any computer not a member of
> > Group1 the policy is filtered. I need the filter to use both Group1 or
> > Group2.
> > 
> > I've tried to the following
> > 1 select * from Win32_Group Where Domain = "Domainname" and Name =
> > "Group1" or Name = "Group2"
> > 
> > 2 select * from Win32_Group Where Domain = "Domainname" and Name =
> > "Group1"  or Domain = "Domainname" and Name = "Group2"
> > 
> > 3 I've tried to seperate filters together
> > select * from Win32_Group Where Domain = "Domainname" and Name =
> > "Group1"
> > select * from Win32_Group Where Domain = "Domainname" and Name =
> > "Group2"
> > 
> > With any of the above 3 GPResults shows the policy being filter when I
> > try to add the second group. If someone could point me in the right
> > direction that would be great.
> > 
> > Take Care and Have Fun --John
> > ***********************
> > You can unsubscribe from gptalk by sending email to
> > gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field
> OR
> > by logging into the freelists.org Web interface. Archives for the list
> > are available at //www.freelists.org/archives/gptalk/
> > ************************
> > 
> > 
> > This e-mail may contain identifiable health information that is
> subject to 
> > protection under state and federal law. This information is intended
> to be for 
> > the use of the individual named above. If you are not the intended
> recipient, be 
> > aware that any disclosure, copying, distribution or use of the
> contents of this 
> > information is prohibited and may be punishable by law. If you have
> received 
> > this electronic transmission in error, please notify us immediately by
> 
> > electronic mail (reply).
> > ***********************
> > You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx 
> > with 'unsubscribe' in the Subject field OR by logging into the
> freelists.org Web 
> > interface. Archives for the list are available at 
> > //www.freelists.org/archives/gptalk/
> > ************************
> 
> 
> 
> This e-mail may contain identifiable health information that is subject to
> protection under state and federal law. This information is intended to be
> for the use of the individual named above. If you are not the intended
> recipient, be aware that any disclosure, copying, distribution or use of
the
> contents of this information is prohibited and may be punishable by law.
If
> you have received this electronic transmission in error, please notify us
> immediately by electronic mail (reply).
> ***********************
> You can unsubscribe from gptalk by sending email to
> gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
> logging into the freelists.org Web interface. Archives for the list are
> available at //www.freelists.org/archives/gptalk/
> ************************
> 
> ***********************
> You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx 
> with 'unsubscribe' in the Subject field OR by logging into the
freelists.org Web 
> interface. Archives for the list are available at 
> //www.freelists.org/archives/gptalk/
> ************************

***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at //www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at //www.freelists.org/archives/gptalk/
************************

• Follow-Ups:
  • [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter
    • From: Cruz, Jerome L

• References:
  • [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter
    • From: jfvanmeter

Other related posts:

• » [gptalk] Select statement calling Win32_Group in a WMI FIlter
• » [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter
• » [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter
• » [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter
• » [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter
• » [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter
• » [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter
• » [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter
• » [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter
• » [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter
• » [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter
• » [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter
• » [gptalk] Re: Select statement calling Win32_Group in a WMI FIlter

1. Home
2. gptalk
3. Archive
4. 05-2008

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---