Whether you create a new policy or you have an existing GPO, you can always create or link an existing WMI filter to that policy. A WMI filter, as the word “filter” indicates, is a constraint applied to a system or a group of systems/users in an Organizational Unit OU or at the domain level to select objects according to the criteria in the filter.

For example, you may want to apply certain settings to all your servers on the domain level without having your workstations to apply those settings. One very simple example is the Windows Updates settings. You may want to configure all your servers to check for new updates from your WSUS, and download these updates locally but do not install them until an administrator connects to that computer and manually install them. On the other hand, you may want to configure all your workstations to automatically download and install the updates from WSUS.

AD

Instead of creating a GPO and link it to the various OUs that contain your servers, and another GPO for clients and link it to many OUs, you can simply create two distinct GPOs, one for servers “download but not install patches”, and one for workstations “download and install patches”. The you should create two distinct filters. One filter is applied to the servers GPO that selects only the “server” operating systems, and the other is applied to the “workstations” operating systems.

You should be familiar with WMI in order understand and to successfully create and apply your WMI filter. The Win32_ComputerSystem Class on MSDN http://msdn.microsoft.com/en-us/library/aa394102(VS.85).aspx contains all the information we need to create the WMI filter. We need the following table In particular:

Value decimal (hexadecimal) Meaning
0 (0×0) Standalone workstation
1 (0×1) Member workstation
2 (0×2) Standalone server
3 (0×3) Member server
4 (0×4) Backup Domain Controller
5 (0×5) Primary Domain Controller

Now let us create the WMI filter for our domain workstation: Open Group Policy Management Console, navigate to WMI Filters, right-click and select New Filter… Give the WMI filter a clear and meaningful name like the following screenshot. Then click Add button to add the filter

image

Paste the following command filter:

Select * from Win32_ComputerSystem where DomainRole=0 or DomainRole=1

image

Click OK then Save. This filter will select any computer that has either 0 or 1 as a value of the DomainRole, thus our GPO will only apply to workstations. We need to apply this filter to a GPO. Navigate and select any GPO of your choice (the WSUS for example), on the SCOPE tab, on the bottom of the page, under WMI filtering, select your WMI filter from the combo box. This will link the WMI filter to your policy. You can then link your polity to any OU of your choice!

To create a WMI filter that selects all your servers instead, you have to change the filter so it looks like this:

Select * from Win32_ComputerSystem where DomainRole<>0 AND DomainRole<>1

Please note that Windows 2000 is NOT WMI-aware and thus it will still read and apply the group policy no matter what filter you apply!