RE: [ActiveDir] Link single GPO to multiple OUs using script or something

[Brian Desmond]

Yeah I do something like this with about 650 sites   SiteTypeA             SiteName-Code                         gg-SiteName-Tech (group)                         Computers                                     gg-SiteName-DesktopAdmins (group)                                     Workstations                                     Laptops                                     Servers                         Users                                     gg-SiteName-UserAdmins (group)                                     userTypeA                                     userTypeB                         Groups              SiteTypeB             SiteName-Code                         gg-SiteName-Tech (group)                         Computers                                     gg-SiteName-DesktopAdmins (group)                                     Workstations                                     Laptops                                     Servers                         Users                                     gg-SiteName-UserAdmins (group)                                     userTypeA                                     userTypeB                         Groups     Thanks, Brian Desmond [EMAIL PROTECTED]   c - 312.731.3132     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, April 02, 2006 9:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Link single GPO to multiple OUs using script or something   LInking a single GPO to multiple OUs is a good valid design, have seen this several times myself and really liked it. Best layout I have seen used it in fact.   Consider   BuildingCode     Group - buildingcode-admins     Workstations             Group - buildingcode-wsadmins             Level0100                 Workstation - c1                 Workstation - c2                 Workstation - c3                 Workstation - c(n)             Level0200                 Workstation - c1                 Workstation - c2                 Workstation - c3                 Workstation - c(n)             Level0300             etc     Servers             Group - buildingcode-srvadmins             FilePrint                 Group - buildingcode-FilePrint-Admins                 Group - buildingcode-FilePrint-Group1                 Group - buildingcode-FilePrint-Group2                 Group - buildingcode-FilePrint-Group(n)                 Server - S1                 Server - S2                 Server - S(n)             SomeApp                 Group - buildingcode-SomeApp-Admins                 Group - buildingcode-SomeApp-Group1                 Group - buildingcode-SomeApp-Group2                 Group - buildingcode-SomeApp-Group(n)                 Server - S1                 Server - S2                 Server - S(n)              etc     With hundreds of building codes in a domain or across multiple domains in a forest. You want the same GPO levels for the workstations in each of the subou's. So you link the Level0100 GPO to the Level0100 OUs. You don't have the mess and possible issues with group filtering where the computer gets added to multiple groups (or the ACL used to filter gets dorked up or reset) and local WS-ADMINS can control the GPO applied to the machines at their site.         -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm        From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, March 01, 2006 3:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Link single GPO to multiple OUs using script or something I may have missed earlier parts to this thread, but have you considered adding all laptops to a group and then applying a laptops GPO at some higher level in the OU hierarchy, filtered by the group just mentioned?   I would also re-assess the OU hierarchy and whether it is relevant and appropriate. If you encounter the need to link the same GPO in 50+ places, then perhaps the OU hierarchy needs to be revamped / re-designed.   neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: 01 March 2006 08:11 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Link single GPO to multiple OUs using script or something Should be working - just create a example OU with the specific settings, adfind gPLink and gPOptions into variables (actually gPOptions: read it once and set it statically without reading in a variable) and use admod to write the gPLink and gPOptions-attributes of the other OUs.   Ulf     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar Sent: Wednesday, March 01, 2006 8:55 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Link single GPO to multiple OUs using script or something Thanx, I will test it out  :-) moreover, I will see if I can create a combination of adfind and admod to achieve this. -- Kamlesh ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Be the change you want to see in the World" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On 2/28/06, Ulf B. Simon-Weidner <[EMAIL PROTECTED]> wrote: You can do this with a simple VBS, LDIF-File or whatever is convenient for you to change AD since you only need to modify the gPLink- and gPOptions-Attributes. Look at the following example from the Technet Scriptcenter: http://www.microsoft.com/technet/scriptcenter/scripts/ad/ous/adouvb01.mspx Gruesse - Sincerely, Ulf B. Simon-Weidner   MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz   Weblog: http://msmvps.org/UlfBSimonWeidner   Website: http://www.windowsserverfaq.org   Profile:    http://mvp.support.microsoft.com/profile="">        From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh Parmar Sent: Monday, February 27, 2006 11:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Link single GPO to multiple OUs using script or something Basically, we have > 50 Location OUs each having different sub OUs for servers, desktops, laptops. My problem is I want to apply policy to all laptops, but I don't have all laptops with XP, some are win2K. So can't use a WMI query to filter out dekstops and servers and create single policy. So only option left is create a policy and link it to so many OUs. Is it possible to link a single GPO to multiple OUs using script or utility like admod.exe Thanks in advance -- Kamlesh ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Be the change you want to see in the World" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies.