Re: WMI filtering question
- From: "Darren Mar-Elia \(MVP\)" <dmanonymous@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 20 Apr 2006 10:49:24 -0700
Any systems below XP and Server 2003 (basically Win2K) will just ignore the
WMI filters and just apply the policy. So if you want to explicitly exclude
Win2K systems, you'll need to do that using either security filtering by
computer group (e.g. Deny Apply GP right to a computer group containing all
Win2K systems) or by linking the GPO to containers that do not contain Win2K
systems. You should be ok with the 2003 boxes. They will evalute the WMI
filter as false and not apply the GPO.
--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
Check out http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
And, the Windows Group Policy Guide is out from Microsoft Press!!! Check it
out at http://www.microsoft.com/mspress/books/8763.asp
GPOGUY Blog: http://blogs.dirteam.com/blogs/gpoguy
"Brian L." <699df88b-2059788708@xxxxxxxxxxxxxx> wrote in message
news:O161S1JZGHA.1192@xxxxxxxxxxxxxxxxxxxxxxx
Excellent, thanks for the answers, Darren and Roger.
I guess the question then is - if I remove the user group from security
filtering (since it's not effective), will the WMI filter do what I want
and only affect XP desktops? I know that not all operating systems
understand WMI filters. We have some Windows 2000 servers, a Windows 2000
workstation or two, and a bunch of Windows 2003 Servers. It would be a Bad
Thing to have automatic updates affect my servers :)
If WMI filters won't absolutely exclude server-class operating systems, do
you have any other ideas? I suppose I could move the desktop computers to
their own OU. We are primarily using the default OU configuration of AD -
the Users and Computers containers.
"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:eOD0QRJZGHA.1192@xxxxxxxxxxxxxxxxxxxxxxx
"Darren Mar-Elia (MVP)" <dmanonymous@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:uLeT48IZGHA.3704@xxxxxxxxxxxxxxxxxxxxxxx
Brian-
If the setting you are creating in the GPO is under Computer
Configuration, then your user-based security group filtering is just
going to be ignored, because its computer that are processing that
setting, not users. This is irrespective of the WMI filter, which by the
way, will apply.
And to add a little more, since by what was said there is no grant
in the security filterig for computers to read/apply the computers
in the subject OU will not process the GPO for computer settings.
Roger
Check out http://www.gpoguy.com -- The Windows Group Policy Information
Hub:
FAQs, Whitepapers and Utilities for all things Group Policy-related
And, the Windows Group Policy Guide is out from Microsoft Press!!! Check
it out at http://www.microsoft.com/mspress/books/8763.asp
GPOGUY Blog: http://blogs.dirteam.com/blogs/gpoguy
"Brian L." <699df88b-2059788708@xxxxxxxxxxxxxx> wrote in message
news:%23521x6IZGHA.3424@xxxxxxxxxxxxxxxxxxxxxxx
Hi all,
I'm hoping someone here has an answer I've been unable to find so far.
In a nutshell (if you don't want to read the background info!) I want
to know whether a WMI filter to determine whether a computer is running
Windows XP will work when the GPO's security is filtered by a group
containing users?
Now the long details for those interested :
I've got a GPO which sets up computers to point to our WSUS server for
automatic updates. At first we had individual computers in a security
group, and the security filtering for the GPO was set to apply only to
that group. It was a lot of work, making sure the right computers were
in the group, since it was a manual process. I wanted to use WMI at the
time, but in order for it to work right we needed XP SP2 on the
desktops (our machines were SP1).
Now all of our desktop machines run XP SP2, so WMI is an option. I went
into the GPO for WSUS settings, and changed the security filtering
group to one that contained the corresponding user accounts rather than
their computers. The benefit is that if one user has two computers, the
GPO still applies. However, I need to make sure that the GPO is only
applied to XP desktops (i.e. not Windows Server 2003 machines). I
created a WMI filter for this purpose:
Select * from Win32_OperatingSystem where Caption = "Microsoft Windows
XP Professional"
So here's my question - this filter is one that is based on a computer,
not a user (that is, XP is a property the computer has, not the user).
My GPO defines computer-based settings for WSUS, not user-based
settings. But the GPO is filtered by a group containing user accounts.
Is this an OK configuration? I'm not sure whether the WMI filter will
work the way I want it to. If anyone has any input or suggestions let
me know! Thanks.
.
- Follow-Ups:
- Re: WMI filtering question
- From: Brian L.
- Re: WMI filtering question
- References:
- WMI filtering question
- From: Brian L.
- Re: WMI filtering question
- From: Darren Mar-Elia \(MVP\)
- Re: WMI filtering question
- From: Roger Abell [MVP]
- Re: WMI filtering question
- From: Brian L.
- WMI filtering question
- Prev by Date: Re: WMI filtering question
- Next by Date: Re: WMI filtering question
- Previous by thread: Re: WMI filtering question
- Next by thread: Re: WMI filtering question
- Index(es):
Relevant Pages
|
