Microsoft has added a powerful new Group Policy Object (GPO) filtering option, called Windows Management Instrumentation (WMI) filtering, to Windows Server 2003 Active Directory (AD). You can use WMI filtering to associate a WMI query with a GPO so that the query runs for each user and computer to which the GPO applies. A WMI filter can check for any piece of WMI-based information that the client machine has permission to access on the target machine, including computer hardware and configuration, user profile, and environment settings. This new filter gives you a great way to target GPOs to certain types of clients. WMI filters contain WMI Query Language (WQL)­based queries, which the OS evaluates dynamically at computer startup or user logon. Depending on the outcome of these queries, the OS applies the GPO settings or prevents them from being applied.

You can use WMI filters for many purposes, such as detecting clients coming in over RAS or determining whether clients are running a specific service pack or hotfix. However, WMI filters have some limitations. You can't use joins within the WQL query, so you can use a query to determine the property values only of WMI objects from the same class. For example, one query can determine the OS version (a property of the Win32_OperatingSystem class) or the amount of free disk space (a property of the Win32_LogicalDisk class) but not both.

WMI filters consist of two parts separated by a semicolon. The first part is the namespace in which the class of the objects you want to query resides with those objects. The second part is the WQL-based query, the results of which you can use to determine whether to apply a particular GPO. For example, to determine whether the hotfix Q987654 has been installed on a system, you can query the WMI Win32_QuickFixEngineering class in the Root\CIMV2 namespace. A WMI filter to determine this information would look like the following:

Root\CimV2; SELECT * FROM Win32_QuickFix Engineering WHERE HotfixID = "Q987654"