During the development work we’ve been doing with Windows 7, one of the items we’ve been looking at is how we can filter the group policy applied to User Accounts by the operating system they are using.
The reason for this is that for a phased migration to Windows 7, you will probably need to account for people roaming between different computers – which may or may not have been migrated. As the configuration applied to Windows 7 may be very different to that applied to older Windows XP computers we need a way of linking both sets of policy to the user accounts, but only applying the right one for the current OS.
If you have all of your user accounts in a single OU (or OU hierarchy) this is relatively straight forward. The simple answer is to use Group Policy WMI filters. These allow you to filter the application of Group Policy based on the results of WMI queries you make of the computer. For example another good use of these is to detect whether a computer is a laptop or desktop, by querying the battery status you can easily set different configurations for things like Offline Folders on laptops.
After a bit of testing I found the following queries work for filtering policy to different OS levels, and computer roles:
Select * from Win32_OperatingSystem Where Version like “6.1%” and ProductType = “1”
To further filter policies based on versions and roles the following properties can be used:
Version
To filter the by OS version, change the Version property to:
Windows 7 or Server 2008 R2 = “6.1%”
Windows Vista or Server 2008 = “6.0%”
Windows XP = “5.2%”
Windows 2000 = “5.0%”
Product Type
To filter by the different roles the computer might have, change the ProductType property to:
Client = “1”
Server running a Domain Controller role = “2”
Member server (server that’s not a DC) = “3”
The % character in the above queries is a wildcard for any characters that follow, so you could therefore use Version Like “6%”to filter for OS’s which are Vista and later.
To apply the filters, you use the Group Policy Management Console (GPMC). In the WMI Filters section in the right hand pane, click right-click and select New. Then give a name and description, click Add then enter the filter into the Query box. Then click Ok and Save.
To apply the filter to a policy, select the policy in the right hand pane, then on the Scope tab under WMI Filtering select your filter.
There are a few limitations, like you can only apply one filter per Policy (but you can have more than one query per filter) and the Queries are a property of the policy not the link, but overall they’re a very powerful tool.
Just wanted to let you know I read your post and that I appreciate the time you took to write it up. An idea I was thinking about to accomplish the same thing was using loopback policy processing and linking the user policies to an OU I’ve got setup for my Win7 machines. Just wondering what you thought and if you’d already tried this in your travels?
Hi Ben,
That would certainly work, though all your user configuration would then be applied via the computer objects, to some extent you’d lose the benefits of being able to use and filter user based policy. Using the WMI filters you can still have different XP and 7 policies but have the user accounts in the same OU.
T
Hi excellent post there. keep it up.I frankly like to read your blog.Last of all have good day
I’m curious, is it more efficient to say:
SELECT Version, ProductType from Win32_OperatingSystem Where Version like “6.1%” and ProductType = “1”
instead of
SELECT * from Win32_OperatingSystem Where Version like “6.1%” and ProductType = “1”
Or, are they both pretty much the same in terms of delay?
Thanks.
select * is much more ‘expensive’ then select version, producttype. you should prefer
SELECT Version, ProductType.
Windows XP is “5.1%”, Windows Server 2003 is “5.2%” !
see http://technet.microsoft.com/en-us/library/cc754488(WS.10).aspx
Thanks for posting this, we are just starting to roll out Windows 7 and it was a pain adding each Windows 7 user to an AD group just so that the Windows 7 GPOs would only apply to them.
Point of interest, in case someone who isn’t an expert at WMI (such as myself) finds this otherwise excellent post and wants to use it to create a WMI filter. “Select” and “Where” should not be capitalized. I tried copy/pasting from this blog entry and it would never properly save the WMI query. Server 2008 would crash the GPMC and server 2003 just gave me a syntax error trying to parse the WMI query and wouldn’t allow it to save. I did some further research and came upon a MS technet article on creating WMI queries and the only difference between their example and yours was the lack of capitalization on those two words, yet theirs saved fine when I tried creating the query.