Sometimes you need to apply a group policy to an OU but prevent that same policy from applying to certain machines in the OU. Rather than creating child OUs, you could use a WMI filter. Note however that there are performance penalties…
For instance, you might need to apply a group policy which installs the 64 bit version of the Windows Management Framework to the PCs OU. This will be fine for most PCs in that OU, but maybe there are some older 32 bit Windows 7 PCs in the OU which would cause the 64 bit installer to fail.
Create a filter
You can create a WMI filter which targets only the 64 bit version of Windows 7 or 8 and ensure the installer doesn’t attempt to run on the other machines.
Open the Group Policy Management console, scroll down the tree view on the left hand side then right-click on WMI filters and select New. Enter a name and optional description, then add a query to define the machines to target.
For this example, we want to target Windows 7 or 8 PCs which are 64 bit, so we can use this query:
select Version from Win32_OperatingSystem WHERE (Version like "6.1%" OR Version like "6.2%" OR Version like "6.3%") AND ProductType="1" AND OSArchitecture = "64-bit"
Not sure which version numbers to use?
Microsoft have some examples in their Group Policy Deployment guide:
WMI Filter Name | WQL Query Statement |
---|---|
Windows Server 2012 | select * from Win32_OperatingSystem where Version like “6.2%” and ProductType = “3” |
Windows 8 | select * from Win32_OperatingSystem where Version like “6.2%” and ProductType = “1” |
Windows Server 2008 R2 | select * from Win32_OperatingSystem where Version like “6.1%” and ProductType = “3” |
Windows 7 | select * from Win32_OperatingSystem where Version like “6.1%” and ProductType = “1” |
You can see from the above that Windows Server 2012 and Windows 8 both have version numbers that begin with 6.2. ProductType lets us narrow down further:
- 1 for client versions of Windows such as Windows 8
- 2 for server versions which are domain controllers
- 3 for server versions that are not domain controllers
You can also open a command prompt and type ver to see the version of Windows on the PC you’re using:
C:\users\admin> ver
Microsoft Windows [Version 10.0.17763.557]
Applying the filter
Performance penalties
According to Microsoft: “We recommend that you use WMI filters primarily for exception management. They can provide a powerful solution for targeting GPOs to specific users and computers, but because WMI filters are evaluated every time Group Policy is processed, they increase startup and logon time. Also, there is no time-out for WMI filters. Therefore, you should use them only when necessary.”