When deploying Group Policies in a Windows environment, often you may have different GPOs for different versions of the operating systems. With the recent release of Windows 8 and Windows Server 2012, it’s likely you will have new GPOs just for these operating systems. You could build out new OUs for the each OS type, but that can get messy rather quickly.
My personal preference for most cases is to use WMI filtering to limit which operating systems a GPO applies to. This way you can dump all your member servers in one OU, and filter GPOs based on OS type.
To create a WMI filter, first you need to open the GPMC and locate the WMI Filters node. Start the new WMI filter creation wizard, and enter a name of your WMI filter. I always put the OS type, so it’s clear what OS the filter is for.
Now you need to add the actual WMI filter by clicking on the Add button. Next up is the tricky part! You need to type in or paste the WMI query for your operating system type. There are several ways to do this, but I like using the OS version number, since that is independent of the OS flavor (enterprise, datacenter, professional, etc.). See the bottom of my post for all the OS WMI queries you can choose from.
After you have created the WMI filter, you now need to configure one or more GPOs to use the filter. At the bottom of the Scope tab on any GPO you will see the WMI Filtering option. From the drop down select the appropriate WMI filter.
And that’s all there is to it! You can create more complex WMI queries, that could cover multiple operating systems, or filter on almost any other computer property such as memory, particular application, etc. If you can query it with WMI, then you can probably filter a GPO with it.
You can also export/import WMI Queries from the GPMC as well, if you want to easily transport them between environments. As always, test them out before applying a GPO that may hose up an OS if they get the wrong settings.
Windows XP
select * from Win32_OperatingSystem WHERE Version LIKE “5.1%”
Windows 7
select * from Win32_OperatingSystem WHERE Version LIKE “6.1%” and ProductType = “1”
Windows 8
select * from Win32_OperatingSystem WHERE Version LIKE “6.2%” and ProductType = “1”
Windows Server 2003 R2
select * from Win32_OperatingSystem WHERE Version LIKE “5.2%”
Windows Server 2008
select * from Win32_OperatingSystem WHERE Version LIKE “6.0%” AND ( ProductType = “2” or ProductType = “3” )
Windows Server 2008 R2
select * from Win32_OperatingSystem WHERE Version LIKE “6.1%” AND ( ProductType = “2” or ProductType = “3” )
Windows Server 2012
select * from Win32_OperatingSystem WHERE Version LIKE “6.2%” AND ( ProductType = “2” or ProductType = “3” )
Thanks for this. For anyone who ever finds themselves in my situation:
I have a site that has several computers that access a terminal server. I created GPOs to restrict their access to certain start menu items. However I only needed the policy applied when they remoted into the server environment, not on their local machines. I enabled WMI filtering for Server 2008 R2 and applied it to the GPOs. Now they have full access to their local start menu, but restricted once they are in their terminal server session. Awesome.