Performancing Metrics

Customs Check-- Importing and Exporting WMI Filters - Group Policy Team Blog - Site Home - TechNet Blogs

Customs Check-- Importing and Exporting WMI Filters

Customs Check-- Importing and Exporting WMI Filters

  • Comments 1
  • Likes

Hi GP fanatics,

 

Did you know that you can import/export WMI filters using GPMC? Yes, you can; however, you must do it one filter at a time. You export each filter to a single .mof file. You can then take this .mof file to a new or different domain, use GPMC, and import each file. This is great when you only have one or two WMI filters. What about if you have 15 or 20? No worries! You can do this using the LDIFDE utility. (This is a long but, detailed explanation),

 

First, you need to find the WMI Filter you want to export (and eventually import). GPMC writes WMI filters in the Domain partition at CN=SOM,CN=WMIPolicy,CN=System,DC=contoso,DC=com. The filter you use to return all WMI filters is (objectclass=msWMI-Som). You can narrow the returned number of items if you know the name of the WMI Filter by using (&(objectclass=msWMI-Som)(msWMI-Name=filtername)). You can lean more about LDAP search filter syntax from MSDN (http://msdn2.microsoft.com/en-us/library/aa746475.aspx). The following command line gives you and idea of how to export the WMI Filter.

 

LDIFDE  -f output.txt –d “dc=contoso.com” –r ”( objectclass=msWMI-Som)” –p subtree

 

In the example above, -f designates the name of the output file that stores the exported WIM filter objectxs. Next, -d designates the based dn, that is, where the search for objects starts. In this example, it starts at the beginning of the domain. The –r is an inclusive LDAP search filter. In this example we only want objects of the class msWMI-Som returned by the query. Lastly, the –p designates that type o f search we want to use. A subtree search means the search begins at the designated base dn and searches the entire depth of the tree for objects matching the designated filter—similar to using dir /s on a directory when searching for a file.

 

Your options may vary. If you have problems exporting the items then add –j . (one dash, the letter J, a space, and one period) to the command line to create a log file in the current folder. A successful output file looks similar to the following.

 

dn: CN={1154EFFC-0090-4F23-8865-C8D555BF696E},CN=SOM,CN=WMIPolicy,CN=System,DC=contoso,DC=com

changetype: add

objectClass: top

objectClass: msWMI-Som

cn: {1154EFFC-0090-4F23-8865-C8D555BF696E}

distinguishedName:

 CN={1154EFFC-0090-4F23-8865-C8D555BF696E},CN=SOM,CN=WMIPolicy,CN=System,DC=con

 toso,DC=com

instanceType: 4

whenCreated: 20070808151246.0Z

whenChanged: 20070808151246.0Z

uSNCreated: 40979

uSNChanged: 40979

showInAdvancedViewOnly: TRUE

name: {1154EFFC-0090-4F23-8865-C8D555BF696E}

objectGUID:: EPDEbOIaGEWyX3Z/b+eiKw==

objectCategory: CN=ms-WMI-Som,CN=Schema,CN=Configuration,DC=contoso,DC=com

msWMI-Author: Administrator@CONTOSO.COM

 msWMI-ChangeDate: 20070618142622.740000-000

 msWMI-CreationDate: 20070618142257.735000-000

msWMI-ID: {1154EFFC-0090-4F23-8865-C8D555BF696E}

msWMI-Name: Imported WMIFilter2

msWMI-Parm1: This is the description for the filter

msWMI-Parm2:

 1;3;10;45;WQL;root\CIMv2;Select * from win32_timezone where bias =-300;

 

Once you successfully export the WMI Filters; you then need to prepare the output file for import.

 

To prepare the output file for importing:

1.       First, save the file as another file name.

2.       Then, you need to find a utility that creates guids. Visual Studio included the GUIDGEN utility (this is not so important when importing the WMI filter into a different domain).As a reference, this is a guid‑ {DF380E6C-DB23-44ed-9BF6-435559503347}.

·          You MUST change the Guids to import into the same domain or it will NOT import.

3.       Change the guid (to include open and closing curly braces) in the DN, CN, distinguishedname, name, and msWMI-ID attributes.

4.       If importing into a different domain, change the LDAP path to reflect the new domain in the dn, distinguishedName, and objectCategory attributes. Only change the domain portion of the LDAP path.

5.       Next, you need to remark out the whenCreated, whenChanged, USNcreated, USNChanged, objectguid, msWMI-ChangeDate,  and msWMI-CreationDate attributes. Do this by inserting the # character and a space at the beginning of the line for each of the listed attributes.

6.       Optionally, you can change the text displayed in msWMI-Name, msWMI-Author, and msWMI-Parm1 attributes.

·         msWMI-Name is the display name of the WMI Filter shown in GPMC.  

·         msWMI-Author is the UPN format for the person creating the WMI filter.

·         msWMI-Parm1 is the description text shown for the WMI filter in GPMC.

 

The final file should look similar to the following.

 

dn: CN={4464D2C2-9063-4953-AE6F-A0D231EBF3CD},CN=SOM,CN=WMIPolicy,CN=System,DC=contoso,DC=com

changetype: add

objectClass: top

objectClass: msWMI-Som

cn: {4464D2C2-9063-4953-AE6F-A0D231EBF3CD}

distinguishedName:

 CN={4464D2C2-9063-4953-AE6F-A0D231EBF3CD},CN=SOM,CN=WMIPolicy,CN=System,DC=con

 toso,DC=com

instanceType: 4

# whenCreated: 20070618142257.0Z

# whenChanged: 20070618142622.0Z

# uSNCreated: 26483

# uSNChanged: 26485

showInAdvancedViewOnly: TRUE

name: {4464D2C2-9063-4953-AE6F-A0D231EBF3CD}

# objectGUID:: 7sA6lK0PVE2fGNOSDTS5Kw==

objectCategory: CN=ms-WMI-Som,CN=Schema,CN=Configuration,DC=contoso,DC=com

msWMI-Author: Administrator@CONTOSO.COM

# msWMI-ChangeDate: 20070618142622.740000-000

# msWMI-CreationDate: 20070618142257.735000-000

msWMI-ID: {4464D2C2-9063-4953-AE6F-A0D231EBF3CD}

msWMI-Name: Imported WMIFilter2

msWMI-Parm1: This is the description for the filter

msWMI-Parm2:

 1;3;10;45;WQL;root\CIMv2;Select * from win32_timezone where bias =-300;

 

You’re almost ready to import the WMI filters. However, importing or adding a WMI Filter object into AD is a system only operation. You need to enable system only changes on a domain controller for a successful ldifde import. To do this, on the domain controller you are using for importing, open the registry editor and create the following registry value.

 

Key: HKLM/System/CCS/Services/NTDS/Parameters

Value Name: Allow System Only Change

Value Type: REG_DWORD

Value Data: 1 (Binary)

 

Next, you’ll need to reboot the domain controller to activate the new setting. Once the domain controller is rebooted, you can use ldifde to import the file into AD. Use the following command:

 

LDIFDE  -i –f input.txt

 

If you have problems then add -j .( one dash, the letter J, a space, and one period)to the command line to create a log file in the local folder. Once the import is complete you should delete the System Only Registry key and reboot the domain controller to deactivate the setting. A successful import looks similar to the following.

 

 

Connecting to "hq-con-dc-01.contoso.com"

Logging in as current user using SSPI

Importing directory from file "import-wmi.ldf"

 

Loading entries

1: CN={4464D2C2-9063-4953-AE6F-A0D231EBF3CD},CN=SOM,CN=WMIPolicy,CN=System,DC=contoso,DC=com

Entry DN: CN={4464D2C2-9063-4953-AE6F-A0D231EBF3CD},CN=SOM,CN=WMIPolicy,CN=System,DC=contoso,DC=com

changetype: add

Attribute 0) objectClass:top msWMI-Som

Attribute 1) cn:{4464D2C2-9063-4953-AE6F-A0D231EBF3CD}

Attribute 2) distinguishedName:CN={4464D2C2-9063-4953-AE6F-A0D231EBF3CD},CN=SOM,CN=WMIPolicy,CN=System,DC=contoso,DC=com

Attribute 3) instanceType:4

Attribute 4) showInAdvancedViewOnly:TRUE

Attribute 5) name:{4464D2C2-9063-4953-AE6F-A0D231EBF3CD}

Attribute 6) objectCategory:CN=ms-WMI-Som,CN=Schema,CN=Configuration,DC=contoso,DC=com

Attribute 7) msWMI-Author:Administrator@CONTOSO.COM

Attribute 8) msWMI-ID:{4464D2C2-9063-4953-AE6F-A0D231EBF3CD}

Attribute 9) msWMI-Name:Imported WMIFilter2

Attribute 10) msWMI-Parm1:This is the description for the filter

Attribute 11) msWMI-Parm2:1;3;10;45;WQL;root\CIMv2;Select * from win32_timezone where bias =-300;

 

Entry modified successfully.

1 entry modified successfully. 

The command has completed successfully

 

And there you go, you’ve successfully export and imported WMI filters.

 

Mike Stephens, Technical Writer, Group Policy

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment