Solved

How can I apply a GPO to an OU full of computers but only have it run on a few specific computers?

Posted on 2008-06-25
14
356 Views
Last Modified: 2008-06-26
I have an OU at the root of AD that is full of computers and SUB OU's that also contain other computers. I need to apply a GPO to all of these computers that will run a script. However I dont want every computer to actually run it. Only a certain group of computers can run this GPO script. I want to create a group, put the computers in the group then apply the permissions to that group to run the gpo. Now other computers in the OU or SUB OU should be affected by this. I also have another OU on the root that contains all of my users. I have tried this so far and ran an RSOP and do not see the policy getting applied to my test pc. The test pc is in the group and has had gpupdate /force ran on it. I appreciate any help. Thanks.
0
Comment
Question by:dkitts
14 Comments
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 125 total points
ID: 21866847
[1] Have you modified the permissions on the GPO so that it only applies to the security group in question?

[2] Have you rebooted the computer accounts since you added them to the security group in question (as this is required to refresh their security group membership)?
0
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 21866867
create a new gpo, move the users that need to have this gpo applied to a ou,link the gpo to this ou and enforce it....

Dont link the gpo on the parent ou...link only to the ou this needs to be applied.
0
 
LVL 5

Expert Comment

by:minvis
ID: 21866998
Use security filtering.

- Right mouseclick on the OU -> properties -> Group policy tab
- Select the GPO you want to apply -> properties -> security tab
- Add the group that you need to apply the policy to
- Select the 'read' and 'apply group policy' checkbox
- Remove the 'authenticated users group'

Keep in mind that you can't apply a computer setting to a user object and you can't apply a user setting to a computer object.
0
 
LVL 30

Assisted Solution

by:LauraEHunterMVP
LauraEHunterMVP earned 125 total points
ID: 21867008
Additionally, is this a user-configured script (login/logout) or a computer-configured script (startup/shutdown)?

If the goal is for users to receive a user-configured script (login) but only when they are logged into a specific group of computers, you will need to define Loopback Processing on the GPO that has been assigned to the computers in question: http://support.microsoft.com/kb/231287
0
 

Author Comment

by:dkitts
ID: 21868565
I need to clear up a couple things here. I was able to get the script to run as a startup script. However I can not do that. The script must be set to run under the user configuration and only against a group that contains the target computers. The reason I can not run this as a startup script is because the script that gets launched makes a call to a 2nd script. The 2nd script never gets launched because after the 1st script finishes the startup script process ends and logs in to the computer. The 2nd script that gets called via the 1st script gets cancelled out somehow. Now I do know for a fact that if I run script1 manually it will make a call to a 2nd script with no problem at all.

So here is what I have now. I have a new GPO. I assigned it to the OU where my target computers are located. Not all computers in the OU are tagets. The security filter is applied to a group that contains those target computers. In a whole other separate OU are my user accounts.  I now need to launch this script in the user config section of the GPO as a logon script not a startup script.

The reason behind all of this is that I am trying to launch a vbs script on these computers. This 1st script starts up a 2nd script with elevated admin privlieges so that I can remotely uninstall an app off some users desktops.
Here is what the 1st script is doing...
\\server1\netlogon\cpau.exe -u mydomain\UserID -p PASSWORD -ex "c:\windows\system32\wscript.exe \\server1\netlogon\ProjectUninstall\rollout.vbs"
The cpau is like a runas command except that it passes the userid and password in one command.
So my script launches the rolloutvbs (the 2nd script) with admin privileges. This 2nd script will not launch if I do a computer configuration startup script.

I hope this helps because I am really frustrated.

Thanks for all the help
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 21868655
Have you incorporated any previous suggestions/questions, in re: configuring Loopback processing and rebooting the target computers to refresh their security group memberships?
0
 

Author Comment

by:dkitts
ID: 21868699
yes I have.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:dkitts
ID: 21868711
I take that back.... I can not move users to another OU. They need to stay where they are.
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 21868731
So you have configured the script in a GPO that is linked to the OU containing your computer objects, you have configured Loopback processing on that GPO.  You have created a security group containing the computer accounts that you want the script to run on, and you have rebooted all of these computers to refresh their security group memberships.

Assuming that you have done all of these things, what is the result of an RSoP report that is run against a representative user/computer?
0
 

Author Comment

by:dkitts
ID: 21868917
Correct.
I have an OU called TEST. In the TEST OU is my computer.
Loopback is enabled (merge)
Security Group contains my computer from the TEST OU.
I just rebooted before writing this reply.

Now if I put the script in the Computer Config of the GPO and apply it to the Security Group that I created, I can then reboot and it will run but it will not allow that script to launch a 2nd script from within the 1st script. If I run an RSOP against my user id and my computer (from the TEST OU) it shows me the script is applied to the startup scripts in the Computer Config section.

Now if I put the script in the User Config of the GPO and apply it to the Security Group (which contains my computer in the TEST OU) it never gets seen by my computer, even if I reboot. I have to add the domain users or my actual id in to the Security Filter for it to be seen. The RSOP will not show the script until I add domain users or my account to the Security Filter.

If this script gets run as a User Config of the GPO, login script it will launch that 2nd script for me. The problem here is that this is applied to a list of users and not machines. I have a very specific target list of computers that I need to hit.
If I put the script in the Computer Config section of the GPO, it will never launch the 2nd piece that I need.

I have to have the 2nd script launched with elevated privs. Otherwise the uninstall I am trying to do will not work with regular user account permissions.

thanks
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 21868936
Out of curiousity, if the purpose of this script is to perform a software uninstall, why not just launch the uninstall script from an admin workstation using psexec against a list of target machines?  This sounds as though you might be making your life more complicated than it needs to be.
0
 

Author Comment

by:dkitts
ID: 21869086
I wanted to keep control of this because I know there will be more of this to come in the future. I am trying to setup a process that I can easily replicate down the road for similar tasks.

Do you know a way to run a single script and inside of the script elevate the privs of a command?
0
 
LVL 30

Expert Comment

by:LauraEHunterMVP
ID: 21874013
Not without embedding credentials, no.  The kind of thing you're describing is something I'd use something like SMS/SCCM for, or scheduled psexec tasks if budget is at issue.
0
 

Author Comment

by:dkitts
ID: 21874287
Laura I am assigning you the points. Thanks for the help everyone.

The reason I am assigning Laura the points is this. She had me reboot which did update the computer policy. I found that if you apply a computer policy (for example a startup script like I was doing) this will not take affect on the pc until the pc has been rebooted. The RSOP would not show the startup script until after I did a reboot.

An annoying thing I learned in this is that if you use a startup script, once that single script you launched is finished the machine finishes logging in. So if you had a 2nd script called via the first script, that 2nd script will not get launched because the pc thinks it is done and starts logging in now. Startup scripts will happen has the pc starts up.

So to solve my problem about launching a 2nd script via a 2nd script here is what I did. I made a security group and put all the target computers in it that I want to run this script on. I created a new GPO  on the Users  OU and applied the security filter to domain users. I removed authenticated users from the security filter. I told the script to run a User Config, login script. I pointed it to my 1st script I want to run. That 1st script then launches a 2nd script with admin privs. The 2nd script finds out the name of the pc running the script. It then looks at my security group and says ok is this pc a member of this group. If the pc is a member of the security group it then processes my uninstall string.

So I target every user no matter which pc they are on. The script runs anywhere it dont care where. However, if the machine the user logs in to is not in the group, the script will not finish. It quits.

So in a cumbersome nutshell. That is how I've accomplished this. It's not pretty but it definitely works.

Thanks for all the help
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now