How to Filter Group Policy Application by IP Range Using WMI Filters in Active Directory


5 views

When managing large Active Directory environments, there are scenarios where you need to apply Group Policy Objects (GPOs) only to computers within specific IP ranges. While organizational units (OUs) and sites are the preferred methods for filtering GPO application, sometimes technical constraints require IP-based filtering.

Windows Management Instrumentation (WMI) filters provide a powerful way to apply GPOs based on system characteristics. For IP-based filtering, we need to query network interface information through WMI.

Many online resources suggest using Win32_IP4RouteTable, but this approach often fails because:

  • It depends on specific routing table entries
  • Doesn't account for multiple network interfaces
  • May miss dynamically assigned IPs

Here's a better approach that checks all network adapters:

SELECT * FROM Win32_NetworkAdapterConfiguration
WHERE IPEnabled = TRUE
AND DHCPEnabled = FALSE
AND (
    (IPAddress LIKE '10.31.%') 
    OR (IPAddress LIKE '192.168.1.%')
)

This query:

  • Filters only enabled, non-DHCP interfaces
  • Supports multiple IP ranges
  • Works with static IP configurations

For environments with DHCP:

SELECT * FROM Win32_NetworkAdapterConfiguration
WHERE IPEnabled = TRUE
AND (
    (IPAddress LIKE '10.31.%') 
    OR (IPAddress LIKE '192.168.1.%')
)

For precise subnet matching (e.g., 10.31.16.0/20):

SELECT * FROM Win32_NetworkAdapterConfiguration
WHERE IPEnabled = TRUE
AND (
    (IPAddress LIKE '10.31.1%') 
    OR (IPAddress LIKE '10.31.2%')
    OR (IPAddress LIKE '10.31.3%')
)

Before applying to production:

  1. Open PowerShell as Administrator
  2. Run: Get-WmiObject -Query "YOUR_QUERY_HERE"
  3. Verify the returned computers match your expectations

To create the WMI filter in Group Policy Management:

  1. Open Group Policy Management Console
  2. Right-click "WMI Filters" and select "New"
  3. Enter a descriptive name (e.g., "IP Range 10.31.*")
  4. Paste your WMI query
  5. Click "Save"
  6. Link your GPO and select the WMI filter

WMI filters impact GPO processing time. For better performance:

  • Keep queries as simple as possible
  • Avoid complex logic (OR/AND combinations)
  • Consider combining with security filtering when possible

While WMI filtering works, other options might be better depending on your environment:

  • Group Policy Preferences with item-level targeting
  • PowerShell startup scripts that apply settings based on IP
  • Network location awareness policies

When managing enterprise networks, there are frequent situations where Group Policy Objects (GPOs) need to target specific computers based on their IP addresses. While OUs and Sites are preferred methods for GPO targeting, sometimes you need the precision of IP-based filtering.

The commonly suggested WMI query using Win32_IP4RouteTable often fails because:

SELECT * FROM Win32_IP4RouteTable 
WHERE ((Mask='255.255.255.255' AND NextHop='127.0.0.1') 
AND (Destination LIKE '10.31.%'))

This approach has several limitations:

  • Only works for directly connected networks
  • Relies on routing table which may not reflect actual IP configuration
  • Doesn't account for multiple network interfaces

Here's a more robust WMI filter that examines all network adapters:

SELECT * FROM Win32_NetworkAdapterConfiguration 
WHERE IPEnabled = TRUE 
AND (IPAddress LIKE '192.168.1.%' OR IPAddress LIKE '10.0.100.%')

For more precise IP range filtering (including CIDR notation support):

SELECT * FROM Win32_NetworkAdapterConfiguration 
WHERE IPEnabled = TRUE 
AND SubnetMask = '255.255.255.0' 
AND (IPAddress LIKE '192.168.1.%')

For complex network ranges, use this PowerShell-assisted WMI filter:

$ip = (Get-WmiObject Win32_NetworkAdapterConfiguration | 
Where-Object { $_.IPEnabled -eq $true }).IPAddress[0]
$octets = $ip -split '\.'
if ([int]$octets[0] -eq 10 -and [int]$octets[1] -ge 100 -and [int]$octets[1] -le 199) {
    return $true
} else {
    return $false
}
  • Always test WMI filters in a non-production environment first
  • Combine with security filtering for more precise targeting
  • Consider network latency when using complex WMI queries
  • Document all IP-based GPO filters in your change management system

If your WMI filter isn't working:

  1. Verify WMI service is running on target computers
  2. Check firewall settings for WMI traffic
  3. Use gpresult /h report.html to verify filter evaluation
  4. Test the query directly using WBEMTest or PowerShell