Link GPO to Computers

Posted on 2009-04-20
Last Modified: 2012-05-06
I need to link a GPO to my domain computers.  Since all of my computers are in the Computers in AD (which isn't really a OU), how can I do this?

Will my Active Directory break if I create another OU and move the computers there?
Question by:vetted
    LVL 47

    Expert Comment

    you can either link the gpo to your whole domain and leave the computers or create another ou and move the computers

    Author Comment

    The reason I'm asking this is b/c I just installed WSUS for the Windows Updates.  I currently have the GPO linked to the entire domain, but unless I specifically add the computer name in the Security Filtering of the GPO, the computers do not show up in the WSUS Administration Console.  I assumed they should probably be in their own OU and I could link it to that OU instead of adding each one by itself.
    LVL 47

    Accepted Solution

    Try under security filtering add "Authenticated Users" , the "Domain Computers" are members of this group
    LVL 6

    Expert Comment

    hi vetted
    you cannot link a gpo on "computers".. that's just a folder
    if you move your computers to a new OU .. it will be fine and will not break anything..
    If you want to test.. you can create new OU and try to move 1 computer inside it and test it.. it should work with no problems
    About your Wsus.. it should have option that wsus administration should also look for other folders which you specify for computers.. by default for computers it looks into "my computer" folder
    LVL 4

    Expert Comment

    Definately create an OU structure for the computers, it'l make life easier and they will still pick up the domain/site gpo's.

    Author Closing Comment

    I chose this answer because it required the least amount of work on my part. As soon as I did that and ran wuauclt /detectnow on one of the computers for testing, it showed up in the WSUS console.  I decided that I did not want to move the computers to another OU since this did work because that just means more upkeep when adding new computers to the domain. Thanks everyone!
    LVL 57

    Expert Comment

    by:Mike Kline
    I'd first go with what dstewart suggested.   I'd also run an RSoP report against one of those computers.  The GPO you linked at the domain level should be getting the policy.
    The RSoP report should help you determine why it is not applying to them (security filtering or blocked inheritance, etc)

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Join & Write a Comment

    I'm sure that every Windows systems administrator has written, or at least used, a batch or VBS login script at some point in their career, whether it is to map network drives, install printers, or set some user preferences.  No more! With Window…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now