WMI Filtering of GPOs

WMI (Windows Management Instrumentation) filtering was introduced first in Windows Server 2003 and Windows XP. Unlike security group filtering, which requires you to place users and computers in groups to control Group Policy application, WMI filtering relies on the inherent WMI framework built into Windows since Windows XP to dynamically filter Group Policy application based on the hardware and software configuration of the computer and user being targeted.

WMI filtering requires knowledge of the WMI Query Language (WQL). Within Active Directory—and using the GPMC—you create WMI filters that contain a WQL statement. That statement might ask questions such as, “Is the system processing this policy running Windows XP, Service Pack 2? Is it running Windows Vista? Is it running Windows Vista Business edition?” Once you create one of these filters, you can link it to a GPO—again using the GPMC.

Once you have done that, the computer or user processing that GPO will evaluate the WQL statement and, if the statement returns true, the GPO is processed. If the statement returns false, the GPO is not processed. Using WMI filters in this way, you can filter Group Policy processing based on the hardware or software installed on a computer.

One thing to keep in mind about WMI filters is that some queries can impose performance issues during Group Policy processing. For example, if you were to write a query that evaluates Active Directory group membership, this could take a long time to process in a large Active Directory environment and could cause Group Policy processing to slow down significantly as the query is evaluated.