dkitts
asked on
How can I apply a GPO to an OU full of computers but only have it run on a few specific computers?
I have an OU at the root of AD that is full of computers and SUB OU's that also contain other computers. I need to apply a GPO to all of these computers that will run a script. However I dont want every computer to actually run it. Only a certain group of computers can run this GPO script. I want to create a group, put the computers in the group then apply the permissions to that group to run the gpo. Now other computers in the OU or SUB OU should be affected by this. I also have another OU on the root that contains all of my users. I have tried this so far and ran an RSOP and do not see the policy getting applied to my test pc. The test pc is in the group and has had gpupdate /force ran on it. I appreciate any help. Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Use security filtering.
- Right mouseclick on the OU -> properties -> Group policy tab
- Select the GPO you want to apply -> properties -> security tab
- Add the group that you need to apply the policy to
- Select the 'read' and 'apply group policy' checkbox
- Remove the 'authenticated users group'
Keep in mind that you can't apply a computer setting to a user object and you can't apply a user setting to a computer object.
- Right mouseclick on the OU -> properties -> Group policy tab
- Select the GPO you want to apply -> properties -> security tab
- Add the group that you need to apply the policy to
- Select the 'read' and 'apply group policy' checkbox
- Remove the 'authenticated users group'
Keep in mind that you can't apply a computer setting to a user object and you can't apply a user setting to a computer object.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I need to clear up a couple things here. I was able to get the script to run as a startup script. However I can not do that. The script must be set to run under the user configuration and only against a group that contains the target computers. The reason I can not run this as a startup script is because the script that gets launched makes a call to a 2nd script. The 2nd script never gets launched because after the 1st script finishes the startup script process ends and logs in to the computer. The 2nd script that gets called via the 1st script gets cancelled out somehow. Now I do know for a fact that if I run script1 manually it will make a call to a 2nd script with no problem at all.
So here is what I have now. I have a new GPO. I assigned it to the OU where my target computers are located. Not all computers in the OU are tagets. The security filter is applied to a group that contains those target computers. In a whole other separate OU are my user accounts. I now need to launch this script in the user config section of the GPO as a logon script not a startup script.
The reason behind all of this is that I am trying to launch a vbs script on these computers. This 1st script starts up a 2nd script with elevated admin privlieges so that I can remotely uninstall an app off some users desktops.
Here is what the 1st script is doing...
\\server1\netlogon\cpau.ex
The cpau is like a runas command except that it passes the userid and password in one command.
So my script launches the rolloutvbs (the 2nd script) with admin privileges. This 2nd script will not launch if I do a computer configuration startup script.
I hope this helps because I am really frustrated.
Thanks for all the help
So here is what I have now. I have a new GPO. I assigned it to the OU where my target computers are located. Not all computers in the OU are tagets. The security filter is applied to a group that contains those target computers. In a whole other separate OU are my user accounts. I now need to launch this script in the user config section of the GPO as a logon script not a startup script.
The reason behind all of this is that I am trying to launch a vbs script on these computers. This 1st script starts up a 2nd script with elevated admin privlieges so that I can remotely uninstall an app off some users desktops.
Here is what the 1st script is doing...
\\server1\netlogon\cpau.ex
The cpau is like a runas command except that it passes the userid and password in one command.
So my script launches the rolloutvbs (the 2nd script) with admin privileges. This 2nd script will not launch if I do a computer configuration startup script.
I hope this helps because I am really frustrated.
Thanks for all the help
Have you incorporated any previous suggestions/questions, in re: configuring Loopback processing and rebooting the target computers to refresh their security group memberships?
ASKER
yes I have.
ASKER
I take that back.... I can not move users to another OU. They need to stay where they are.
So you have configured the script in a GPO that is linked to the OU containing your computer objects, you have configured Loopback processing on that GPO. You have created a security group containing the computer accounts that you want the script to run on, and you have rebooted all of these computers to refresh their security group memberships.
Assuming that you have done all of these things, what is the result of an RSoP report that is run against a representative user/computer?
Assuming that you have done all of these things, what is the result of an RSoP report that is run against a representative user/computer?
ASKER
Correct.
I have an OU called TEST. In the TEST OU is my computer.
Loopback is enabled (merge)
Security Group contains my computer from the TEST OU.
I just rebooted before writing this reply.
Now if I put the script in the Computer Config of the GPO and apply it to the Security Group that I created, I can then reboot and it will run but it will not allow that script to launch a 2nd script from within the 1st script. If I run an RSOP against my user id and my computer (from the TEST OU) it shows me the script is applied to the startup scripts in the Computer Config section.
Now if I put the script in the User Config of the GPO and apply it to the Security Group (which contains my computer in the TEST OU) it never gets seen by my computer, even if I reboot. I have to add the domain users or my actual id in to the Security Filter for it to be seen. The RSOP will not show the script until I add domain users or my account to the Security Filter.
If this script gets run as a User Config of the GPO, login script it will launch that 2nd script for me. The problem here is that this is applied to a list of users and not machines. I have a very specific target list of computers that I need to hit.
If I put the script in the Computer Config section of the GPO, it will never launch the 2nd piece that I need.
I have to have the 2nd script launched with elevated privs. Otherwise the uninstall I am trying to do will not work with regular user account permissions.
thanks
I have an OU called TEST. In the TEST OU is my computer.
Loopback is enabled (merge)
Security Group contains my computer from the TEST OU.
I just rebooted before writing this reply.
Now if I put the script in the Computer Config of the GPO and apply it to the Security Group that I created, I can then reboot and it will run but it will not allow that script to launch a 2nd script from within the 1st script. If I run an RSOP against my user id and my computer (from the TEST OU) it shows me the script is applied to the startup scripts in the Computer Config section.
Now if I put the script in the User Config of the GPO and apply it to the Security Group (which contains my computer in the TEST OU) it never gets seen by my computer, even if I reboot. I have to add the domain users or my actual id in to the Security Filter for it to be seen. The RSOP will not show the script until I add domain users or my account to the Security Filter.
If this script gets run as a User Config of the GPO, login script it will launch that 2nd script for me. The problem here is that this is applied to a list of users and not machines. I have a very specific target list of computers that I need to hit.
If I put the script in the Computer Config section of the GPO, it will never launch the 2nd piece that I need.
I have to have the 2nd script launched with elevated privs. Otherwise the uninstall I am trying to do will not work with regular user account permissions.
thanks
Out of curiousity, if the purpose of this script is to perform a software uninstall, why not just launch the uninstall script from an admin workstation using psexec against a list of target machines? This sounds as though you might be making your life more complicated than it needs to be.
ASKER
I wanted to keep control of this because I know there will be more of this to come in the future. I am trying to setup a process that I can easily replicate down the road for similar tasks.
Do you know a way to run a single script and inside of the script elevate the privs of a command?
Do you know a way to run a single script and inside of the script elevate the privs of a command?
Not without embedding credentials, no. The kind of thing you're describing is something I'd use something like SMS/SCCM for, or scheduled psexec tasks if budget is at issue.
ASKER
Laura I am assigning you the points. Thanks for the help everyone.
The reason I am assigning Laura the points is this. She had me reboot which did update the computer policy. I found that if you apply a computer policy (for example a startup script like I was doing) this will not take affect on the pc until the pc has been rebooted. The RSOP would not show the startup script until after I did a reboot.
An annoying thing I learned in this is that if you use a startup script, once that single script you launched is finished the machine finishes logging in. So if you had a 2nd script called via the first script, that 2nd script will not get launched because the pc thinks it is done and starts logging in now. Startup scripts will happen has the pc starts up.
So to solve my problem about launching a 2nd script via a 2nd script here is what I did. I made a security group and put all the target computers in it that I want to run this script on. I created a new GPO on the Users OU and applied the security filter to domain users. I removed authenticated users from the security filter. I told the script to run a User Config, login script. I pointed it to my 1st script I want to run. That 1st script then launches a 2nd script with admin privs. The 2nd script finds out the name of the pc running the script. It then looks at my security group and says ok is this pc a member of this group. If the pc is a member of the security group it then processes my uninstall string.
So I target every user no matter which pc they are on. The script runs anywhere it dont care where. However, if the machine the user logs in to is not in the group, the script will not finish. It quits.
So in a cumbersome nutshell. That is how I've accomplished this. It's not pretty but it definitely works.
Thanks for all the help
The reason I am assigning Laura the points is this. She had me reboot which did update the computer policy. I found that if you apply a computer policy (for example a startup script like I was doing) this will not take affect on the pc until the pc has been rebooted. The RSOP would not show the startup script until after I did a reboot.
An annoying thing I learned in this is that if you use a startup script, once that single script you launched is finished the machine finishes logging in. So if you had a 2nd script called via the first script, that 2nd script will not get launched because the pc thinks it is done and starts logging in now. Startup scripts will happen has the pc starts up.
So to solve my problem about launching a 2nd script via a 2nd script here is what I did. I made a security group and put all the target computers in it that I want to run this script on. I created a new GPO on the Users OU and applied the security filter to domain users. I removed authenticated users from the security filter. I told the script to run a User Config, login script. I pointed it to my 1st script I want to run. That 1st script then launches a 2nd script with admin privs. The 2nd script finds out the name of the pc running the script. It then looks at my security group and says ok is this pc a member of this group. If the pc is a member of the security group it then processes my uninstall string.
So I target every user no matter which pc they are on. The script runs anywhere it dont care where. However, if the machine the user logs in to is not in the group, the script will not finish. It quits.
So in a cumbersome nutshell. That is how I've accomplished this. It's not pretty but it definitely works.
Thanks for all the help
Dont link the gpo on the parent ou...link only to the ou this needs to be applied.