Those of you who have taken classes with me or have ever experienced the joys of using GPO’s know their power. With great power also comes great responsibility (thanks Spiderman for this pearl of wisdom) We know that you can very easily affect TOO many machines or the wrong kind of machines when linking your Group Policy objects. To help ease this we have two ways of narrowing the scope of who or what the GPO’s will apply. We can do this via Security filtering and WMI filtering.

Security filtering works very well, so don’t let me talk you out of using it. You can use things like your built in windows security groups (domain based) to help filter out who or what the object will be applied to. Remember any object needs two rights to be able to read and process a GPO. The Read right on the object as well as the Apply group policy right. Once once of the two are denied either explicitly or implicitly it won’t be applied to the AD object. As well as this works, what if we wanted to be very granular in what the policy applies to? What if I wanted to only apply this GPO to machines that have 20gb or more of free space? This is where WMI comes in

WMI stands for Windows Management instruction and can query almost anything configuration or hardware wise on the local machine. We can use the power of WMI to act as a filter to match a criteria set inside of GPO’s. “Chad, I don’t want to have to learn an entire language just for a random WMI query or two. Seriously isn’t there another way to use WMI without having to do a boatload of research??” Funny that you ask that. Microsoft has had a tool out there since 2005 called the WMI Code Creator! This handy GUI tool allows you to browse and build queries off of different parts of the WMI namespaces!

Feel free to check it out, it’s no charge!  WMI Code Creator v1.0

Also check out my Earlier post on WMI info