TABLE 5-2 Properties of Win32_OperatingSystem
BootDevice
Disk drive from which the Win32 operating system boots.
BuildNumber
Build number of the operating system.
BuildType
Type of build used for the operating system, such as “retail build”, “checked build”, or “Multiprocessor Free”.
Caption
Operating system name.
ClassPath
WMI object class path.
CodeSet
Code page value used by the operating system.
Container
The container associated with the object.
CountryCode
Country code used by the operating system.
CreationClassName
Name of the class from which the object is derived.
CSCreationClassName
Name of the class from which the computer system object is derived.
CSDVersion
Indicates the latest service pack installed on the computer. The value is NULL if no service pack is installed.
CSName
Name of the computer system associated with this object class.
CurrentTimeZone
Number of minutes the operating system is offset from Coordinated Universal Time. The value is positive, negative, or zero.
DataExecutionPrevention_32BitApplications
Indicates whether Data Execution Prevention (DEP) is enabled for 32-bit applications.
DataExecutionPrevention_Available
Indicates whether DEP is supported by the system hardware.
DataExecutionPrevention_Drivers
Indicates whether DEP is enabled for device drivers.
DataExecutionPrevention_SupportPolicy
Specifies the DEP support policy being used. Values are 0 = none, 2 = on for essential Windows programs and services only, 3 = on for all programs except those specifically excluded.
Debug
Indicates whether the operating system is a checked (debug) build. If TRUE, the debugging version of User.exe is installed.
Description
Description of the Windows operating system.
Distributed
Indicates whether the operating system is distributed across multiple computer system nodes. If so, these nodes should be grouped as a cluster.
EncryptionLevel
Level of encryption for secure transactions, as 40-bit, 128-bit, or n-bit.
ForegroundApplicationBoost
Sets the priority of the foreground application. Application boost is implemented by giving an application more processor time. Values are: 0 = none, 1 = minimum, 2 = maximum (default).
FreePhysicalMemory
Physical memory (in kilobytes) currently unused and available.
FreeSpaceInPagingFiles
Amount of free space (in kilobytes) in the operating system’s paging files. Swapping occurs when the free space fills up.
FreeVirtualMemory
Virtual memory (in kilobytes) unused and available.
InstallDate
Date when the operating system was installed.
LargeSystemCache
Indicates whether memory usage is optimized for programs or the system cache. Values are: 0 = memory usage is optimized for programs, 1 = memory usage is optimized for the system cache.
LastBootUpTime
When the operating system was last booted.
LocalDateTime
Local date and time on the computer.
Locale
Language identifier used by the operating system.
Manufacturer
Operating system manufacturer. For Win32 systems, this value will be “Microsoft Corporation”.
MaxNumberOfProcesses
Maximum number of process contexts the operating system can support. If there is no fixed maximum, the value is 0.
MaxProcessMemorySize
Maximum memory (in kilobytes) that can be allocated to a process. A value of zero indicates that there is no maximum.
MUILanguages
User interface languages supported.
Name
Name of the operating system instance.
NumberOfLicensedUsers
Number of user licenses for the operating system. A value of 0 = unlimited, a value of –1 = unknown.
NumberOfProcesses
Current number of process contexts on the system.
NumberOfUsers
Current number of user sessions.
OperatingSystemSKU
Operating system product type indicator.
Options
Lists the management object options.
Organization
Company name set for the registered user of the operating system.
OSArchitecture
Operating system architecture, as 32-bit or 64-bit.
OSLanguage
Language version of the operating system installed.
OSProductSuite
Operating system product suite installed.
OSType
Type of operating system. Values include: 1 = other, 18 = Windows NT or later.
OtherTypeDescription
Sets additional description; used when OSType = 1.
Path
Identifies the full WMI path to the object class.
PAEEnabled
Indicates whether physical address expansion (PAE) is enabled.
PlusProductID
Product number for Windows Plus! (if installed).
PlusVersionNumber
Version number of Windows Plus! (if installed).
Primary
Indicates whether this is the primary operating system.
ProductType
Operating system product type. Values are: 1 = workstation, 2 = domain controller, 3 = server.
Properties
Lists all the properties of the object.
Qualifiers
Lists any qualifiers for the object.
QuantumLength
Number of clock ticks per unit of processor execution. Values are: 1 = unknown, 2 = one tick, 3 = two ticks.
QuantumType
Length type for units of processor execution. Values are: 1 = unknown, 2 = fixed, 3 = variable. With variable length, foreground and background applications can have different values. With fixed length, the foreground and background values are the same.
RegisteredUser
Name set for the registered user of the operating system.
Scope
Lists the management object scope.
SerialNumber
Operating system product serial number.
ServicePackMajorVersion
Major version number of the service pack installed on the computer. If no service pack has been installed, the value is 0 or NULL.
ServicePackMinorVersion
Minor version number of the service pack installed on the computer. If no service pack has been installed, the value is 0 or NULL.
Site
Site associated with the object.
SizeStoredInPagingFiles
Total number of kilobytes that can be stored in the operating system’s paging files. A value of 0 indicates that there are no paging files.
Status
Current status of the object. Values include: “OK”, “Error”, “Unknown”, “Degraded”, “Pred Fail”, “Starting”, “Stopping”, and “Service”.
SuiteMask
Bit flags that identify the product suites available on the system.
SystemDevice
Physical disk partition on which the operating system is installed.
SystemDirectory
System directory of the operating system.
SystemDrive
Physical disk partition on which the operating system is installed.
SystemProperties
Lists the system properties.
TotalSwapSpaceSize
Total swap space in kilobytes. This value may be unspecified (NULL) if swap space is not distinguished from page files.
TotalVirtualMemorySize
Virtual memory size (in kilobytes).
TotalVisibleMemorySize
Total amount of physical memory (in kilobytes) that is available to the operating system.
Version
Version number of the operating system.
WindowsDirectory
Windows directory of the operating system.
The detailed operating system information tells you a great deal about the operating system running on the computer. The same is true for computer configuration details, which can be obtained by entering the following command at a Windows PowerShell prompt:
Get-WmiObject -Class Win32_ComputerSystem -Namespace root/cimv2
-ComputerName . | Format-List *
Listing 5-2 provides an example of the output from this command, and Table 5-3 provides a summary of the computer configuration properties and their meaning. As discussed previously, you can redirect the output to a save file.
LISTING 5-2 Computer Configuration Information
AdminPasswordStatus : 1
BootupState : Normal boot
ChassisBootupState : 3
KeyboardPasswordStatus : 2
PowerOnPasswordStatus : 1
PowerSupplyState : 3
PowerState : 0
FrontPanelResetStatus : 2
ThermalState : 3
Status : OK
Name : CORPSERVER84
PowerManagementCapabilities :
PowerManagementSupported :
__GENUS : 2
__CLASS : Win32_ComputerSystem
__SUPERCLASS : CIM_UnitaryComputerSystem
__DYNASTY : CIM_ManagedSystemElement
__RELPATH : Win32_ComputerSystem.Name="CORPSERVER84"
__PROPERTY_COUNT : 58
__DERIVATION : {CIM_UnitaryComputerSystem, CIM_ComputerSystem, CIM_System,CIM_LogicalElement...}
__SERVER : CORPSERVER84
__NAMESPACE : root\cimv2
__PATH :\\CORPSERVER84\root\cimv2:
Win32_ComputerSystem.Name="CORPSERVER84"
AutomaticManagedPagefile : True
AutomaticResetBootOption : True
AutomaticResetCapability : True
BootOptionOnLimit :
BootOptionOnWatchDog :
BootROMSupported : True
Caption : CORPSERVER84
CreationClassName : Win32_ComputerSystem
CurrentTimeZone : -420
DaylightInEffect : True
Description : AT/AT COMPATIBLE
DNSHostName : CORPSERVER84
Domain : imaginedlands.com
DomainRole : 5
EnableDaylightSavingsTime : True
InfraredSupported : False
InitialLoadInfo :
InstallDate :
LastLoadInfo :
Manufacturer : Dell Inc.
Model :
NameFormat :
NetworkServerModeEnabled : True
NumberOfLogicalProcessors : 2
NumberOfProcessors : 1
OEMLogoBitmap :
OEMStringArray : {www.dell.com}
PartOfDomain : True
PauseAfterReset : -1
PCSystemType : 5
PrimaryOwnerContact :
PrimaryOwnerName : Windows User
ResetCapability : 1
ResetCount : -1
ResetLimit : -1
Roles : {LM_Workstation, LM_Server, Primary_Domain_Controller, Timesource...}
SupportContactDescription :
SystemStartupDelay :
SystemStartupOptions :
SystemStartupSetting :
SystemType : x64-based PC
TotalPhysicalMemory : 3755343872
UserName : IMAGINEDL\williams
WakeUpType : 6
Workgroup :
Scope : System.Management.ManagementScope
Path : \\Server52\root\cimv2:
Win32_ComputerSystem.Name="Server52"
Options : System.Management.ObjectGetOptions
ClassPath : \\Server52\root\cimv2:
Win32_ComputerSystem
Properties : {AdminPasswordStatus...}
SystemProperties : {___GENUS, ___CLASS,
___SUPERCLASS...}
Qualifiers : {dynamic, Locale,
provider, UUID}
Site :
Container :
TABLE 5-3 Computer Configuration Entries and Their Meaning
AdminPasswordStatus
Status of the Administrator password. Values are: 1 = disabled, 2 = enabled, 3 = not implemented, 4 = unknown.
AutomaticManagedPagefile
Indicates whether the computer’s page file is being managed by the operating system.
AutomaticResetBootOption
Indicates whether the automatic reset boot option is enabled.
AutomaticResetCapability
Indicates whether the automatic reset is enabled.
BootOptionOnLimit
System action to be taken when the ResetLimit value is reached. Values are: 1 = reserved, 2 = operating system, 3 = system utilities, 4 = do not reboot.
BootOptionOnWatchDog
Reboot action to be taken after the time on the watchdog timer has elapsed. Values are: 1 = reserved, 2 = operating system, 3 = system utilities, 4 = do not reboot.
BootROMSupported
Indicates whether a boot ROM is supported.
BootupState
Indicates how the system was started. Values are: “Normal boot”, “Fail-safe boot”, and “Fail-safe with network boot”.
Caption
System name.
ChassisBootupState
Bootup state of the system chassis. Values are: 1 = other, 2 = unknown, 3 = safe, 4 = warning, 5 = critical, 6 = nonrecoverable.
ClassPath
Windows Management Instrumentation (WMI) object class path.
Container
Container associated with the object.
CreationClassName
Name of class from which object is derived.
CurrentTimeZone
Number of minutes the computer is offset from Coordinated Universal Time.
DaylightInEffect
Indicates whether daylight saving mode is on.
Description
Description of the computer.
DNSHostName
Name of the server according to DNS.
Domain
Name of the domain to which the computer belongs.
DomainRole
Domain role of the computer. Values are:0 = stand-alone workstation, 1 = member workstation, 2 = stand-alone server, 3 = member server, 4 = backup domain controller, 5 = primary domain controller.
EnableDaylightSavingsTime
Indicates whether daylight saving time (DST) is enabled. If True, the system changes to an hour ahead or behind when DST starts or ends. If False, the system does not change to an hour ahead or behind when DST starts or ends.
FrontPanelResetStatus
Hardware security settings for the reset button on the computer. Values are: 0 = disabled, 1 = enabled, 2 = not implemented, 3 = unknown.
InfraredSupported
Indicates whether an infrared (IR) port exists on the computer system.
InitialLoadInfo
Data needed to find either the initial load device (its key) or the boot service to request the operating system to start up.
InstallDate
Date when the computer was installed.
KeyboardPasswordStatus
Indicates the keyboard password status. Values are: 0 = disabled, 1 = enabled, 2 = not implemented, 3 = unknown.
LastLoadInfo
Array entry of the InitialLoadInfo property, which holds the data corresponding to booting the currently loaded operating system.
Manufacturer
Computer manufacturer’s name.
Model
Product name given by the manufacturer.
Name
Computer name.
NameFormat
Identifies how the computer system name is generated.
NetworkServerModeEnabled
Indicates whether network server mode is enabled.
NumberOfLogicalProcessors
Number of processor cores. If the computer has two processors with four cores each, the number of logical processors is eight. If the computer has hyperthreading architecture, the number of logical processors may also be higher than the number of physical processors.
NumberOfProcessors
Number of enabled processors on the computer.
OEMLogoBitmap
Identifies the bitmap for the OEM’s logo.
OEMStringArray
List of descriptive strings set by the OEM.
PartOfDomain
Indicates whether the computer is part of a domain. If True, the computer is a member of a domain. If False, the computer is a member of a workgroup.
Options
Lists the management object options.
Path
Identifies the full WMI path to the object class.
PauseAfterReset
Time delay (in milliseconds) before a reboot is initiated after a system power cycle or reset. A value of -1 indicates there is no time delay.
PCSystemType
Indicates the type of computer. Values are: 0 = unspecified, 1 = desktop, 2 = mobile, 3 = workstation, 4 = enterprise server, 5 = small office and home office (SOHO) server, 6 = appliance PC, 7 = performance server, 8 = role maximum.
PowerManagementCapabilities
Power management capabilities of a logical device. Values are: 0 = unknown, 1 = not supported, 2 = disabled, 3 = enabled, 4 = power saving modes entered automatically, 5 = power state settable, 6 = power cycling supported, 7 = timed power on supported.
PowerManagementSupported
Indicates whether the device’s power can be managed.
PowerOnPasswordStatus
Power on password status. Values are:0 = disabled, 1 = enabled, 2 = not implemented, 3 = unknown.
PowerState
Indicates the current power state of the computer. Values are: 0 = unknown, 1 = full power, 2 = power save – low power mode, 3 = power save – standby, 4 = power save – unknown, 5 = power cycle, 6 = power off, 7 = power save – warning.
PowerSupplyState
State of the enclosure’s power supply when last booted. Values are: 1 = other, 2 = unknown, 3 = safe, 4 = warning, 5 = critical, 6 = nonrecoverable.
PrimaryOwnerContact
Contact information for the computer’s owner.
PrimaryOwnerName
Name of the system owner.
Properties
Lists all the properties of the object.
Qualifiers
Lists any qualifiers for the object.
ResetCapability
Value indicates whether a computer can be reset using the Power and Reset buttons (or other hardware means). Values are: 1 = other, 2 = unknown, 3 = disabled, 4 = enabled, 5 = nonrecoverable.
ResetCount
Number of automatic resets since the last intentional reset. A value of -1 indicates that the count is unknown.
ResetLimit
Number of consecutive times a system reset will be attempted. A value of -1 indicates that the limit is unknown.
Roles
System roles.
Scope
Lists the management object scope.
Site
The site associated with the object.
Status
Current status of the computer. Values are: “OK”, “Error”, “Degraded”, “Unknown”, “Pred Fail”, “Starting”, “Stopping”, “Service”.
SupportContactDescription
List of the support contact information for the computer.
SystemProperties
Lists the system properties.
SystemStartupDelay
Startup delay in seconds.
SystemStartupOptions
List of the startup options for the computer.
SystemStartupSetting
Index of the default start profile.
SystemType
System architecture type, such as “X86-based PC” or “64-bit Intel PC”.
ThermalState
Thermal state of the system chassis when last booted. Values are: 1 = other, 2 = unknown, 3 = safe, 4 = warning, 5 = critical, 6 = nonrecoverable.
TotalPhysicalMemory
Total byte size of physical memory.
UserName
Name of the user currently logged on.
WakeUpType
Event that caused the system to power up. Values are: 0 = reserved, 1 = other, 2 = unknown, 3 = APM timer, 4 = modem ring, 5 = LAN remote, 6 = power switch, 7 = PCI PME#, 8 = AC power restored.
Workgroup
When a computer is a member of a workgroup, the workgroup name is listed here.
In addition to targeting operating system or computer configuration properties, you might want to target computers based on the amount of disk space and file system type. In the following example, you target computers that have more than 1 gigabyte (GB) of available space on the C, D, or G partition:
Select * from Win32_LogicalDisk where (Name = " C:" OR Name = " D:"
OR Name = " G:" ) AND DriveType = 3 AND FreeSpace > 1048576000 AND
FileSystem = " NTFS"
In the preceding example, DriveType = 3 represents a local disk and FreeSpace units are in bytes (1 GB = 1,048,576,000 bytes). The partitions must be located on one or more local fixed disks, and they must be running the NTFS file system.
In Windows PowerShell, you can examine all the properties of the Win32_LogicalDisk object by entering the following command at the Windows PowerShell prompt:
Get-WmiObject -Class Win32_LogicalDisk -Namespace root/cimv2
-ComputerName . | Format-List *
As you’ll see, there are many properties you can work with, including Compressed, which indicates whether a disk is compressed. Other important WMI object classes include:
Using the techniques I’ve discussed previously, you can examine the properties of any or all of these objects by using Windows PowerShell. If you do, you will find that Win32_PhysicalMemory has a Capacity property that tracks the total physical memory in bytes. Knowing this, you could easily create a WMI filter to target computers with 4 GB of RAM or more. The WMI query to handle the task is the following:
Select * from Win32_PhysicalMemory where Capacity > 4194300000
I used the value 4194300000 because there are 4,194,304,000 bytes in 4 GB, and we want the computer to have at least this capacity.
To display a complete list of WMI objects, enter the following command at the Windows PowerShell prompt:
Get-WmiObject –list -Namespace root/cimv2 -ComputerName .
| Format-List name
Because the list of available objects is so long, you’ll definitely want to redirect the output to a file. In the following example, you redirect the output to a file in the working directory called FullWMIObjectList.txt:
Get-WmiObject –list -Namespace root/cimv2 -ComputerName .
| Format-List name > FullWMIObjectList.txt
Rather than viewing all WMI classes, you may want to see only the Win32 WMI classes. To view only the Win32 WMI classes, use the following command:
Get-WmiObject -list | where {$_.name -like "*Win32_*"}
Creating and applying WMI filters is a two-step process. First you define the WMI filter and set the desired query. Then you link the WMI filter to GPOs as appropriate. If you later decide that you don’t want to link a WMI filter to a GPO, you can unlink the filter to remove it. After you remove the link to the WMI filter, the GPO will no longer filter policy application based on the queries defined in the filter.
Because WMI filters let you easily target specific types of computers, they are often overused. However, this approach is not necessarily a good one. WMI filters work well when you have a few management exceptions. They don’t work well when you deploy them widely. If you create multiple WMI filters, each targeted to separate GPOs, you may negatively impact performance. Why? Too many WMI filters can slow down Group Policy processing because each filter must be evaluated whenever policy is applied. To avoid problems, test your WMI filters carefully and deploy them strategically.
To create a WMI filter, complete the following steps:
1. In the GPMC, expand the entry for the forest you want to work with and then expand the related Domains node.
2. Expand the WMI Filters node to display a list of currently configured filters in the details pane, as shown in Figure 5-7. If an existing WMI filter is linked to one or more GPOs, the names of the GPOs are listed under the Linked GPO column.
FIGURE 5-7 List currently configured WMI filters.
3. Right-click the WMI Filters node in the domain in which you want to add a WMI filter, and then click New.
4. In the New WMI Filter dialog box, shown in Figure 5-8, type a name for the new WMI filter in the Name box, and then type a description of the filter in the Description box.
5. Click Add. In the WMI Query dialog box, the default namespace is root\CimV2. In most cases, you do not need to change the namespace. If you need to change this value, click Browse, select the namespace you need to use from the list, and then click OK.
6. In the WMI Query dialog box, define a WMI query in the Query box, and then click OK.
7. To add additional queries to the filter, repeat steps 4 through 6.
8. After you add all the necessary WMI queries, click Save. The WMI filter will then be available to be linked.
FIGURE 5-8 Create the WMI query.
When you select the WMI Filters node in the GPMC, you see a list of the currently configured WMI filters in the details pane. If a WMI filter is linked to one or more GPOs, the names of the GPOs are listed in the Linked GPO column.
To view and manage individual filters, expand the WMI Filters node in the console tree and then select the WMI filter you want to work with. In the details pane, you’ll then see the configuration details for the selected WMI filter. As shown in Figure 5-9, the General tab displays:
If you want to edit the filter definition, click Edit Filter. You are then able to see the filter name and description. You are also able to add, remove, or edit WMI queries. When you are finished, click Save to save the changes. Any query changes are reflected the next time clients process group policy.
FIGURE 5-9 Review the WMI filter details.
To apply a WMI filter, you must link it to a GPO. Each GPO can have only one linked WMI filter at a time. If you no longer want a GPO to process a WMI filter, you can remove the link.
To add or remove a link to a WMI filter, complete the following steps:
1. In the GPMC, expand the entry for the forest you want to work with and then expand the related Domains node.
2. Expand the node for the domain you want to work with. If you don’t see the domain you want to work with, right-click Domains and then click Show Domains. You can then select the domains you want to display.
3. Expand the Group Policy Objects node and then select the GPO you want to work with.
4. In the details pane, click the Scope tab. On the Scope tab, the WMI Filtering pane shows whether the GPO is linked to a WMI filter (see Figure 5-10).
FIGURE 5-10 Link a WMI filter to a GPO.
5. Do one of the following:
If you want to add a link to a WMI filter, select the WMI filter from the drop-down list provided. When prompted to confirm that you want to change to the selected filter, click Yes.
If you want to remove a link to a WMI filter, select <None> from the drop-down list provided. When prompted to confirm that you want to remove the previously selected filter, click Yes.