Windows Server 2008 and Windows Vista : Altering Default GPO Processing and Inheritance (part 2) - Security Filtering, WMI Filters, Group Policy Preferences

9/19/2012 6:49:38 PM

Security Filtering

Security filtering is modification of the security permissions on the GPO itself. To receive the settings in a GPO, an object must have both the Read and Apply Group Policy permissions. You configure the permissions to establish security filtering per GPO in the details pane after you have selected the GPO in the Group Policy Management Console (GPMC). To access this security permission list box, follow these steps:

Select the GPO under the Group Policy Objects node in the GPMC.

In the details pane, select the Scope tab.

To add a user or group to the security permission list, click Add in the Security Filtering section. To remove a user or group from the security permission list, click Remove in the Security Filtering section.


The inclusion of a user account or group account in the Security Filtering section does not mean that a user or computer will receive the settings in the GPO. An object must be both in the scope of management of a GPO and included in the Security Filtering list. 

How It Works: Detailed Security Permissions on a GPO

When a user or group is configured with permission in the Security Filtering section of the Scope tab of a GPO, two permissions are actually configured for that object—Read and Apply Group Policy. To see this level of permission, you must use the Advanced permissions view of the GPO. To access the Advanced permissions view, click the Delegation tab, and then click Advanced, which displays the Security Settings dialog box, as shown in Figure 5. Notice that the Authenticated Users group has both permissions; this is the default setting for all GPOs.

Figure 5. The Security Settings dialog box for a GPO displays the detailed permissions configured for security filtering and delegations.

WMI Filters

Windows Management Instrumentation (WMI) is a management technology that can query a computer to determine one or many attributes of the computer. For example, a WMI query can be created to determine the operating system of a computer or the hard disk space available on a computer hard drive.

A WMI filter consists of one or more queries and is associated with a GPO. The query returns either true or false. If the query returns true, the settings in the GPO where the WMI filter is linked will be applied. If the query returns false, the settings will not apply.


WMI filters are not supported on operating systems earlier than Windows XP.

To configure a WMI filter, you must understand WMI query language. If you want to learn more about WMI query language, refer to the Windows Management Instrumentation Web site at and the WMI Classes page at

To create a WMI filter and link it to a GPO, follow these steps:

In the GPMC, expand the domain name node to expose the WMI Filters node.

Right-click the WMI Filter node, and then click New. The New WMI Filter dialog box appears.

Type a name in the Name box and a description in the Description box for the filter, and then click Add. The WMI Query dialog box appears.

In the WMI Query dialog box, ensure that the namespace is root\CIMv2.

Enter the WMI query in the Query box, and then click OK. Here is an example:

Select * from Win32_LogicalDisk where FreeSpace > 104857600 AND Caption = "C:"


Click Save to save the filter and close the New WMI Filter dialog box.

In the GPMC, click the GPO to which you want to link the WMI filter.

Select the Scope tab in the details pane.

From the drop-down list in the WMI Filtering section, click the WMI filter that you just created, as shown previously in Figure 6.

Figure 6. WMI Filters are linked to GPOs in the GPMC on the Scope tab in the WMI Filtering section.

A Group Policy Management dialog box appears asking if you want to change the WMI filter to the WMI you have selected. Click Yes.

Group Policy Preferences

The only option that can alter default GPO processing at the GPO setting level is related to Group Policy Preferences settings. The technology that makes this possible is item-level targeting. Item-level targeting allows for one or more decision criteria to be configured to ensure that the settings apply to the correct computers and users. There are over 25 item-level targeting criteria, as shown in Figure 7.

Figure 7. Group Policy Preferences provide item-level targeting to ensure that GPO settings apply to the correct users and computers.

  •  Windows Server 2008 and Windows Vista : Group Policy Processing - Version Checking During Updates
  •  Windows 7 : Syncing with Network Files (part 2) - Dealing with Conflict
  •  Windows 7 : Syncing with Network Files (part 1) - Using Sync Center, Settings for offline files
  •  Windows Vista : Deploying Applications - Choosing a Deployment Strategy
  •  Windows Vista : Deploying Applications - Planning Deployment
  •  Windows Server 2003 : Active Directory - Understanding Directory Replication (part 3) - Spanning Trees and Site Links
  •  Windows Server 2003 : Active Directory - Understanding Directory Replication (part 2) - Update Sequence Numbers
  •  Windows Server 2003 : Active Directory - Understanding Directory Replication (part 1) - Time Synchronization, Replication Topologies, Handling Update Conflicts
  •  Windows Server 2003 : Active Directory - Understanding Operations Master Roles
  •  Windows Vista : Customizing Windows PE Boot Images (part 3) - Working with OSCDImg, Working with vLite
    Video tutorials
    - How To Install Windows 8

    - How To Install Windows Server 2012

    - How To Install Windows Server 2012 On VirtualBox

    - How To Disable Windows 8 Metro UI

    - How To Install Windows Store Apps From Windows 8 Classic Desktop

    - How To Disable Windows Update in Windows 8

    - How To Disable Windows 8 Metro UI

    - How To Add Widgets To Windows 8 Lock Screen

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010
    programming4us programming4us