Share via

AD GPO WMI filtering query

sakthiganesh s 20 Reputation points
2025-11-17T11:20:22.3333333+00:00

Hi Team,

Having one query, this is related to active directory. I dont see the right tag for it.

We want to deploy a software restriction policy which should install an agent for writable DCs only not to the Read only domain controllers. In security filtering we want to add authenticated users but need to ensure it should apply to writable DCS only not to RODCs . IS there any wmi filter for this to achieve it so we dont need to work when we add writable DC or rodc in future gpo will work without any manual intervention.

Moved from: Sysinternals

Windows for business | Windows Client for IT Pros | Devices and deployment | System management components
0 comments
Answer accepted by question author
  1. Quinnie Quoc 7,625 Reputation points Independent Advisor
    2025-11-17T23:13:33.7266667+00:00

    Hi sakthiganesh s,

    Thank you for your question. To ensure your software restriction policy applies only to writable domain controllers and excludes Read-Only Domain Controllers (RODCs), you can use a WMI filter based on the DomainRole property.

    Here’s a recommended WMI query:

    wql

    SELECT * FROM Win32_ComputerSystem WHERE DomainRole = 5

    This targets only Primary Domain Controllers. If you also want to include Backup Domain Controllers, use:

    wql

    SELECT * FROM Win32_ComputerSystem WHERE DomainRole = 4 OR DomainRole = 5

    This approach ensures that your GPO dynamically applies to writable DCs—even when new ones are added—without manual updates. You can still use Authenticated Users in security filtering, and the WMI filter will handle the scope.

    If this solution meets your needs, please click “Accept Answer” so others can benefit too.

    Thank you so much!!

    Best regards,

    QQ.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2025-11-17T11:20:34.84+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To achieve the deployment of a software restriction policy that applies only to writable Domain Controllers (DCs) and not to Read-Only Domain Controllers (RODCs), you can utilize WMI filtering in Group Policy. WMI filters allow you to specify conditions that must be met for the GPO to apply.

    For your scenario, you can create a WMI filter that checks the role of the DC. Specifically, you can use a WMI query that checks for the presence of the writable DC role. Here is an example of a WMI query that you might use:

    SELECT * FROM Win32_ComputerSystem WHERE DomainRole = "4" OR DomainRole = "5"

    In this query, the DomainRole property indicates the role of the computer in the domain:

    • 4 corresponds to a primary domain controller (PDC)
    • 5 corresponds to a backup domain controller (BDC)

    This filter would ensure that the GPO only applies to writable DCs. You can link this WMI filter to your GPO, and it will automatically apply to any new writable DCs added in the future without requiring manual intervention.

    Make sure to test the WMI filter in a controlled environment before deploying it widely to ensure it behaves as expected.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.