This post describes a WMI filter used to provide Group Policy based on the client subnet. This can be useful when site-based policy is not appropriate, or for more granular control of specific subnets within sites.
The WMI filter used:
Select * FROM Win32_IP4RouteTable
WHERE ((Mask='255.255.255.255' AND NextHop='127.0.0.1')
AND (Destination Like '10.0.0.%' OR Destination Like '10.0.1.%' OR Destination Like '10.0.2.%'))
Originally this was used to define a DNS suffix search list for computers on a particular subnet. Other potential uses include branding and hardening of clients on specific subnets, such as privileged network or remote access subnets.
Why the Win32_IP4RouteTable class was used in the WMI query:
- Using the routing table to determine the local IP is not very intuitive, it would make more sense to use something like win32_networkadapterconfiguration, but the relevant information is stored in arrays, which cannot currently be processed by WMI filters. (or WMI queries in WHERE clauses)
- The route table is filtered to ensure only the local address is processed by including only the local broadcast address and the localhost hop, and then checking the subnet. Note that a /24 is the only subnet size that will be accurate when validating only on the last octet (the query above).
GPMC limitations:
- GPMC Modelling doesn't seem accurate, ie. some XPSP2 workstations processing this policy return True for the WMI filter, even though 'gpresult /z' on the workstation accurately reports that the WMI filter caused the policy to not apply.
Using UserEnv Debugging to verify:
- reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v UserEnvDebugLevel /d 0x00010002 /t reg_dword
- gpupdate /force /target:computer
c:\windows\debug\netlogon.log should then show something like:
USERENV(1c8.650) 00:30:03:191 FilterCheck: Found WMI Filter id of: <[domain.com;{B3942687-E8A9-4602-9365- E4C617980939};0]>USERENV(1c8.650) 00:30:03:253 ProcessGPO: GPO passes the filter check.
Other options considered to provide a similar result:
- A security group filtered GPO, which would require manually adding and removing computers (or potentially automated with an export from DHCP that automatically added computers from the subnets to the security group)
- DHCP Scope option for configuring the DNS suffix search list (119 I think) - not currently supported by XP
- Some form of DHCP Scope ID that is recognised in XP and can be read through WMI or the registry
- DHCP Option 61 - Unique scope ID read from the registry (http://support.microsoft.com/kb/172408)
- AD Site - Separate sites containing the subnets, with a site-based group policy (although SDOU suggests this wouldn't work, as the OU policy would overwrite the site based policy - the closer to the object the higher priority)
- Something in an automated process running on each workstation that would determine network changes and make local changes.
Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.
10 comments:
Tks for this guide... I'm looking for something similar! It solve perfectly my problem... :)
Thanks! Interesting approach. Needs modification for newer Windows as now the next hop is described as 0.0.0.0 (link). So i changed to (Mask='255.255.255.255' AND (NextHop='127.0.0.1' OR NextHop='0.0.0.0') However, if the same approach used elsewhere for extracting ip - good luck. As now the broadcast address is also pulled alongside.
Thanks a million for this post! This is a real life saver!
not working with me please help
I really appreciate your insite. I figured if you look for the default gateway it would be better...
Since you know what the gateway will be on a subnet (hopefully). It gets rid of wildcards.
Select Mask,Destination,NextHop from Win32_IP4RouteTable WHERE ((Mask='0.0.0.0' AND Destination='0.0.0.0') AND (NextHop='10.0.0.1'))
Also, if you specify the select instead of wildcarding it, WMI responds quicker.
Hi All,
I know this post is old, But I am trying to create a WMI Filter to exclude 1 IP range.
Does anyone know how this might be possible?
Does anyone know how to query if in multitude of class C address ranges with different nextHop addresses?
The WMI query doesn't work on Windows 7 because NextHop is on Windows 7 always 0.0.0.0, but in XP it's 127.0.0.1.
Hi !
These both works for us:
Select * FROM Win32_IP4RouteTable WHERE ((Mask='255.255.255.255' AND (NextHop='127.0.0.1' OR NextHop='0.0.0.0')) AND (Destination Like '192.168.5%'))
-OR-
Select Mask,Destination,NextHop FROM Win32_IP4RouteTable WHERE ((Mask='0.0.0.0' AND Destination='0.0.0.0') AND (NextHop='192.168.56.1' OR NextHop='192.168.58.1'))
Note:
192.168.56.1 + 192.168.58.1 are my two gateways (LAN + WiFi).
192.168.5% is my subnet (I have 192.168.56.0 - 192.168.58.255). Change them to your environment !
Post a Comment