Group Policy WMI filter to run when file doesnt exist

elliott-it
elliott-it used Ask the Experts™
on
I have a group policy that I only want to run when a file does not exist.

I have a WMI filter that works when the file exists but am not sure how to turn this around to workl the other way for the Group Policy.

Here is the WMI filter I have, essentially I want this to only run when this file doesn't exist.

Select * From CIM_Datafile Where Name = 'C:\\Tools\\Build6\\NewBuild.log'

I have tried using the <> (not egual) but a gpupdate just hangs.

Thanks
BRad
Select * From CIM_Datafile Where Name = 'C:\\Tools\\Build6\\NewBuild.log'

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
bluntTonyHead of ICT
Top Expert 2009

Commented:
Unfortunately WMI doesn't support a NOT filter. A GPO is applied only if the resulting data set from the query returns at least one result.
What settings are you trying to apply? It might be more suited to a startup/login script?
Another possible option is to have two GPOs. One which applies the required settings you want on the machines without this file, the other which configures conflicting settings and uses your WMI filter above. As long as this GPO is higher in precedence, this would work, although slightly convoluted!
bluntTonyHead of ICT
Top Expert 2009

Commented:
Actually, just to clarify, WQL does support the NOT operator, i.e.
Select * From CIM_Datafile Where NOT Name = 'C:\\Tools\\Build6\\NewBuild.log'
...but if you think about it, that query is going to search the entire server's file system and return every single file that isn't that one, which -
1. Will cause the refresh to take an age.
2. That query is going to return TRUE (ie. 1 or more results from the query) on all machines whether they have that file or not (as they're always going to have other files on them!).
So while strictly speaking the syntax is there, you can't use it for your purposes.
I would say if you can, script it. Let us know what settings you're trying to apply and I'll give you a hand with some VB Script if you're interested.

Author

Commented:
What I am actually trying to achieve relates to an autmated build process.

We currently have a set of GPOs which apply to all dekstops/servers and laptops.  One of these is a disclaimer gpo which puts the legal text in before you log on, eg CTRL-ALT-DEL and then the legal text is displayed and you need to click enter to continue.

What I want to do, is for any new build which relies on an automated login process to install apps and configure the build, is to not have this applied as it breaks the autologin.

If I can't get the WMI filter to stop this GPO applying based on this file, I guess I will have to re-code the "add to domain" script to use a seperate OU which doesn't have this GPO applied.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Head of ICT
Top Expert 2009
Commented:
So the logic is : if the file does not exist, then apply the disclaimer?
How about a GPO which says : if the file does exist, then disable the disclaimer? Put this GPO at the same link level (domain or OU) but at a higher precedence to one which applies the disclaimer to ALL PCs. That way the disclaimer will only apply to those PCs where the file does not exist, as the 'disable' setting will overrule the conflicting 'enable'.
My only concern with using CIM_Datafile is that whatever the outcome of the query, it could take quite while for the query to run which could slow things up (it queries all drives on the machine). I've never used it in a WMI filter so couldn't be 100% but you could test it.
Other than that, you could modify the 'join to domain' script to add the new machine to a security group. Then deny that security group 'read and apply' permissions to the GPO applying the disclaimer. Then once the build is done, remove the machine from the group.
Just some thoughts...

Author

Commented:
Very nice, thanks for that, I  think I will go with the group.  

The concern you raise over the CIM_Datafile is valid as I had teh gpupdate hangs a few times which could cause some serious bootup issues across the global network, not really worth the risk.

Now I just need to figure out the vb code to add a machine to a group.

Author

Commented:
Update on how I got around this.

I call this batch file in the build process which adds the machine to the group just after the machine is added to the domain.

The group has deny read and apply GPO rights on the offending GPO.

The dsmod and dsquery apps I have on the public shared folder on the network but are also added to the machines as part of the build process.

I then run a similar command (but to remove group membership) at the end of the build porcess.

Works well, thanks for your help Blunttony.
@echo off
for /f "tokens=*" %%a in ( 'dsquery computer -name %COMPUTERNAME%'
) do (
 set fqdn=%%a
)
 
dsmod group "CN=GPOBypass,OU=Application Groups,OU=LON,OU=UK,DC=COMPANY,DC=CO,DC=UK" -addmbr %fqdn%

Open in new window

bluntTonyHead of ICT
Top Expert 2009

Commented:
Good to know you got it sorted. Thanks for posting this additonal info.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial