Apply GPO based on installed Server Feature (WMI Filtering)

Today I came across a server that had been placed in a sub-OU by a colleague simply for the purposes of applying a GPO to it. The GPO in question was configured to make some changes to the BranchCache feature.

If the policy needs to apply to a subset of all servers in an OU, it would be cleaner to apply a WMI filter to the GPO itself rather than limiting the scope of the GPO by explicit security filtering.

Here’s what I did to clean it up:

  1. Created a WMI filter in GPMC:
    SELECT * FROM Win32_ServerFeature WHERE Name like ‘branchcache%’
  2. Applied the filter to the GPO in question
  3. Applied the GPO to the OU where the server originally lived
  4. Moved the server back to the original OU

This same strategy could be used to apply a policy to all IIS servers, all file servers, etc. The possibilities are practically limitless.

You could even filter on something like Win32_Product to apply a specific GPO to Exchange servers, for example.

SELECT * FROM Win32_Product WHERE name = 'microsoft exchange server'

Don’t use Win32_Product. It’s not a good idea, and even Microsoft warn against using it.

2 thoughts on “Apply GPO based on installed Server Feature (WMI Filtering)

    • Hi Jeremy,

      I normally use the single quotes in PowerShell to test WMI queries, so left them as-is:
      Get-WmiObject Win32_ServerFeature -Filter "name like 'branchcache%'"

      I verified on two different servers with gpresult that the filter does work correctly with the single quotes.

      Good point about the single %, as it’s something people need to be aware of, however I did it on purpose. I’m looking for features that begin with the string “branchcache”, not for ones that contain “branchcache” anywhere within the name.

      On Server 2008 R2, the feature names are:
      1. BranchCache
      2. BranchCache for network files

      Regards,
      Daniel

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s