Yes, although the one caveat when linking a single GPO to
multiple containers is that the security filter is stored on the GPO, not the
link. This means that it can get complex if you're using security groups to
filter GP application and you have machines/users that are members of groups
that span multiple containers.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, April 02, 2006 6:44 PM
To: [email protected]
Subject: RE: [ActiveDir] Link single GPO to multiple OUs using script or something
LInking a single GPO to multiple OUs is a good valid
design, have seen this several times myself and really liked it. Best layout I
have seen used it in fact.
Consider
BuildingCode
Group - buildingcode-admins
Workstations
Group -
buildingcode-wsadmins
Level0100
Workstation -
c1
Workstation -
c2
Workstation -
c3
Workstation -
c(n)
Level0200 Workstation -
c1
Workstation -
c2
Workstation -
c3
Workstation -
c(n)
Level0300
etc
Servers
Group -
buildingcode-srvadmins
FilePrint
Group -
buildingcode-FilePrint-Admins
Group -
buildingcode-FilePrint-Group1
Group -
buildingcode-FilePrint-Group2
Group -
buildingcode-FilePrint-Group(n)
Server -
S1
Server -
S2
Server -
S(n)
SomeApp
Group -
buildingcode-SomeApp-Admins
Group -
buildingcode-SomeApp-Group1
Group -
buildingcode-SomeApp-Group2
Group -
buildingcode-SomeApp-Group(n)
Server -
S1
Server -
S2
Server -
S(n)
etc
With hundreds of building codes in a domain or across
multiple domains in a forest. You want the same GPO levels for the workstations
in each of the subou's. So you link the Level0100 GPO to the Level0100 OUs. You
don't have the mess and possible issues with group filtering where the computer
gets added to multiple groups (or the ACL used to filter gets dorked up or
reset) and local WS-ADMINS can control the GPO applied to the machines at their
site.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, March 01, 2006 3:27 AM
To: [email protected]
Subject: RE: [ActiveDir] Link single GPO to multiple OUs using script or something
I may have missed earlier parts to this thread, but have
you considered adding all laptops to a group and then applying a laptops GPO at
some higher level in the OU hierarchy, filtered by the group just
mentioned?
I would also re-assess the OU hierarchy and whether it is
relevant and appropriate. If you encounter the need to link the same GPO in 50+
places, then perhaps the OU hierarchy needs to be revamped /
re-designed.
neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner
Sent: 01 March 2006 08:11
To: [email protected]
Subject: RE: [ActiveDir] Link single GPO to multiple OUs using script or something
Should be working - just create a example OU with the
specific settings, adfind gPLink and gPOptions into variables (actually
gPOptions: read it once and set it statically without reading in a variable) and
use admod to write the gPLink and gPOptions-attributes of the other
OUs.
Ulf
Thanx, I will test it out :-)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar
Sent: Wednesday, March 01, 2006 8:55 AM
To: [email protected]
Subject: Re: [ActiveDir] Link single GPO to multiple OUs using script or something
moreover, I will see if I can create a combination of adfind and admod to achieve this.
--
Kamlesh
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Be the change you want to see in the World"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On 2/28/06, Ulf B. Simon-Weidner <[EMAIL PROTECTED]> wrote:You can do this with a simple VBS, LDIF-File or whatever is convenient for you to change AD since you only need to modify the gPLink- and gPOptions-Attributes. Look at the following example from the Technet Scriptcenter:Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
Profile: http://mvp.support.microsoft.com/profile="">
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh Parmar
Sent: Monday, February 27, 2006 11:12 PM
To: [email protected]
Subject: [ActiveDir] Link single GPO to multiple OUs using script or somethingBasically, we have > 50 Location OUs each having different sub OUs for servers, desktops, laptops.
My problem is I want to apply policy to all laptops, but I don't have all laptops with XP, some are win2K.
So can't use a WMI query to filter out dekstops and servers and create single policy.
So only option left is create a policy and link it to so many OUs.
Is it possible to link a single GPO to multiple OUs using script or utility like admod.exe
Thanks in advance
--
Kamlesh
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Be the change you want to see in the World"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
