So, I'm back home from a great trip to Seattle, Washington, US. The MVP Summit 2008 was a cool experience with lots of info and room for dialog with the product teams at the Microsoft Campus in Redmond.
We had some awesome talks on the future of Group Policy and I would really like to share it with you, but because of Non-Disclosure Agreements 'n' stuff I can't really say anything - yet.
Seattle is a very interesting city with a lot of great restaurants, nice architecture and friendly people. I had 2½ day to spend after the summit and even though I was missing my family Seattle took great care of me :)
Anyway, I hope to go back there next year - better prepared for jetlag (which basically means I'll travel a few days before the event next time) - but, that all depends on how much time I get to share information with you guys/girls out there... No sharing, no MVP award - that's the rule ya' know ;-)
Thanx to the GP team and the other MVPs for a great experience!
.
Written by Jakob H. Heidelberg on April 22nd, 2008 with no comments.
Read more articles on 1426 and 1429 and 1673 and 169 and 2065 and 2157 and 401 and Contributors and MVP and group policy and microsoft.
When you have the Group Policy Preference (GPP) Client Side Extensions (CSE) downloaded you’ll notice that they are not (yet) in the .MSI format - so using Group Policy Software Installation (GPSI) is not possible. Bummer, right!?
We have .EXE files for Windows XP/2003 and .MSU files for Windows Vista… But that’s not the only thing we need to think about. Before "deploying" these things to the clients on the network we need to know the OS version (XP/2003/Vista), the OS architecture (32 or 64 bit), the Service Pack Level, and whether or not the Group Policy Preference Pre-requisites (WmlLite - http://support.microsoft.com/kb/914783/en-us) are installed.
To make all this pretty easy I’ve created a "demo" script for deploying the GPP CSEs using Startup Script - or a manual launch (in admin context). My good friend Jeremy Moskowitz asked me to do this - so, a couple of hours later the "demo" - or "beta" - script is public (download below)…
Note: I haven’t been able to test in all scenarios yet, but I *think* they are all covered pretty well by now. Please report back if you find any problems - any feedback is welcome!
Download the VBS script right here!
NB! You might need other language version for the XmlLite GPP CSE Pre-requisites, so watch out!
Running the script in your production network is on your own risk. The code is delivered "As Is" - totally free of any charge. No strings attached.
I hope this works out nicely for you!
.
Written by Jakob H. Heidelberg on February 29th, 2008 with comments disabled.
Read more articles on Client Side Extensions and Jeremy Moskowitz and Windows Vista and Windows XP and download and gp preferences and group policy and group policy extensions and group policy preferences and microsoft and scripting and windows server 2003.
Welcome to "The Quest for the Holy Desktop WMI Filter”, this is a global search for what you could call "The Perfect Desktop WMI Filter". A WMI filter which, by using WMI Query Language (WQL), should be able to spot DESKTOP computers only. It should be a general query - meaning it should be possible to use the filter in most Active Directory environments around the globe for Group Policy filtering.
So, what is a desktop really? Well, actually in this case we’ll say it’s the opposite of a laptop. Hmm, then what is a laptop? Easy enough: a computer with a battery! We’ve got the WMI filter for finding laptops already:
Select * from Win32_Battery - don’t you just love the simplicity in this query?
This filter will make a computer with a battery respond back with "TRUE" (because the WMI class instance is present), meaning a GPO with this filter will apply to computers with batteries. Simple right? And you might think it’s easy to just "turn it around" to find desktops, like:
Select * From Win32_Battery Where Availability != 2
or
Select * From Win32_Battery Where Availability IS NOT NULL
or
“Where Not X Like Y” or whatever
Maybe it is, maybe it’s not… I think it’s pretty damn hard! For spotting laptops we could have tested the classes Win32_PortableBattery, Win32_PCMCIAController, Win32_POTSModem as well - but somehow I think most people will agree, that the "essential ting", which makes a laptop a laptop, is in fact the battery presence!
But, our tests for spotting DESKTOPS only (machines without a battery - yes, I know this will include servers as they a "stationary" too) have not been a success yet! We probably just need the correct syntax? And this is where you get into the picture!
Are you able to crack open this nut? There’s a cool price!
This all started on a mailing list for Group Policy guys and girls - called GPTalk - created and maintained by Group Policy guru and MVP Darren Mar-Elia - the guy behind GPOguy.com and SDM Software. You can join the list RIGHT HERE and participate in this contest to WIN a free copy of the:
BUT you have to be the first person to crack this thing, there’ll be only ONE WINNER - that could be you!
I’ll be evaluating incoming answers - FIFO: "First In First Out" method is used. Hopefully we’ll see the most simple solution first - simplicity works, right? Actually I wouldn’t know in this case would I…
One important thing! We will ask you kindly to TEST any WMI query submissions before sending them to everybody on the list. During your testing, you should use a tool to verify the WMI filter against a minimum of 2 desktops and 2 laptops. You can use the free WMI Filter Validation Tool to test you WMI filters in your environment. Personally I’m also using Scriptomatic version 2 and WBEMTEST for finding the available classes, items, queries etc.
Please have a look at the "rules" further down!
Why do this? Well, because it’s fun - and useful at the same time… When looking at it generally, the purpose of this filter is to say: "I want these user settings to apply, but only when the user logs on to stationary machines". This can be used for a lot of security related setting, eg. in the case where Automatically cached Offline Files/Folders are unwanted on stationary machines for certain users etc. The job of most WMI filters placed on User policies is to limit which machines the policy setting(s) should apply to (even though WMI filters could check for user specific things too). Besides from that it’s a nice challenge, we can pretty easily "spot" laptops, as they have batteries – and desktops don’t, but that’s not good enough for Mr. WQL, is it?!
Stuff we have tried - and the rules
We’ve been around solutions looking for Win32_SystemEnclosure > ChassisType before - which basically doesn’t work in a WMI filter because that’s an Array (and yes, I’ve also seen lots of posts on forums out there claiming that particular class is the solution – but for WMI/WQL queries it’s not). If would work in a script (because you can add additional logic to scripts), but we are searching for a WMI Filter - not workarounds of any kind!
As mentioned we tried with the Win32_Battery WMI class. However, as desktops don’t know this class at all, they’ll return FALSE no matter what. Basically a desktop computer is gonna say “Heck, I don’t know anything about that class *Panic* I’m out!” – or just “False”… Bummer!
We have also tried PowerSupplyState, Win32_DesktopMonitor, Win32_DisplayConfiguration, Win32_SystemSlot, Win32_Fan and other classes – just haven’t found the perfect “this is definitely a desktop WMI item value or class”…
We’re basically looking for something like:
A) Select * from Win32_SomeClassOnlyDesktopsHave
Or
B )Select * from Win32_SomeClass.SomeItem = “SomeValueOnlyDesktopsHave”
Or
C) Some way of saying “if you don’t know the class (eg. Win32_Battery), then apply the GPO anyway”
Again, the “quest” is to find the perfect, *universal*, way of spotting “Non-laptops” or Desktops – it can of course be done by looking for some special computer Manufacturer/Model, BIOS version, specific hardware driver or whatever – but that stuff it most likely gonna be different from environment to environment. Also, if we all just used computer names like “DESKxxx” for desktops and “LAPTxxx” for laptops, we could have used WMI filters for computer name – but unfortunately that’s not the case - or at least I won’t consider that a valid solution 
The thing is, that normally it’s the LAPTOPS that have special hardware – like Batteries and built-in Modems, PCMCIA slots etc. – so they are pretty easy to find. With desktop computers it’s another story – hope you can help us out here!
Please, again, we know lot’s of “workarounds”, but what we need is a *WMI filter* and it has to return *TRUE* for *DESKTOPS* (or let’s call the NON-LAPTOPS or NON-PORTABLES, it doesn’t really matter).
Remember, simplicity works - maybe the answer/solution is pretty straight forward? Feel free to post any additional questions to the mailing list!
Another example of what has been tried
We could maybe try to go for presence of PCI (and not Mini-PCI) or AGP slots, as we expect most desktops to have PCI slots (and laptops to have Mini-PCI, but that would depend on the form factor) – or maybe AGP (but does onboard VGA count as AGP? Any PCI VGA cards left out there? Yeah, probably…). If not we could maybe go for something like this:
A) Select * From Win32_SystemSlot Where SlotDesignation = “PCI%”
Or
B) Select * From Win32_SystemSlot Where SlotDesignation = “AGP”
However, this is not accepted as a solution as we cannot say that all desktop computers have AGP slots. But - maybe you can convince us otherwise?
Other cool Group Policy information:
You’ll find additional Group Policy information at these sites:
www.gpanswers.com - The home of Group Policy guru and MVP Jeremy Moskowitz, check out the community there too!
TechNet Group Policy Forum - A brand new Group Policy forum on Microsoft TechNet
The Group Policy Team - The home of the Microsoft Group Policy Team
Jakob H. Heidelberg blog - My own blog, mostly about Group Policy and Security
www.heidelbergit.dk - My website with blog RSS, certifications, LinkedIn info etc.
Hope to hear from you soon - O’ Yee Knight of the Microsoft Group Policy Table!
Written by Jakob H. Heidelberg on February 13th, 2008 with comments disabled.
Read more articles on Darren Mar-Elia and Jeremy Moskowitz and MVP and gpanswers.com and gpoguy.com and group policy and microsoft and technet.
