Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


How to target systems in different regions

Posted on 2014-03-15
Medium Priority
Last Modified: 2014-03-28
I have to push out a jpg file to for enabling a login banner. I have this working using a gpo to create 2 folders and copy the jpg.

Now I've been told that a different banner needs to be pushed to systems in different regions, i.e. france, china, etc.

Our workstations are in 1 ou, all 8000 of them. so is there a way to target system based on where they reside and be able to push the jpg file to?

Not sure is the subnets that are defined for the site in "sites and services" can be use.

Any thoughts on this?
Question by:rdefino
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
LVL 30

Expert Comment

ID: 39931601
Create a sub OU for each region and apply the group policy to each.  That's the purpose of having OUs.

Author Comment

ID: 39931604
so move the systems into the new ou's?
LVL 16

Expert Comment

by:Dirk Mare
ID: 39931605
You can create an GPO based on sites and services..

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 39931611

This is what I was hopejng, but I cannot find how to tie a particular gpo to a site.
LVL 16

Expert Comment

by:Dirk Mare
ID: 39931628
In Group Policy Management, create your new policy, scroll down to sites and link your newly created policy to the site.

LVL 38

Expert Comment

ID: 39931785
Do not create site based GPOs for this requirement if you have multi domain environment and if you are having hub and spoke topology (I guess it is)

You can achieve this Two way itself with standard GPO linked to OU

The steps
Create Global security groups representing to each location
Add each location computers to respective Global groups or add all locations computers where you required same policy
Do not move computers from current OU
Now create new GPO with required settings and apply it on the same OU, only on GPO scope tab in GPMC navigate to security filtering remove authenticated users and add there respective Global security group created above
Now create multiple GPO with required setting and apply respective Global security groups there

This will ensure that Policy will apply to only those computers in global group

The other way is to use GP preferences if you have 2008 \ 2008 r2 DCs where you can push required policy on computer subnet basis in Item level targeting
You can use User configuration \ preferences OR Computer Configuration \ preferences file item in update mode and can select item level targeting and select subnet range for that particular file
The advantage of this method is, you will required single GPO applied to OU and add multiple files there in update mode with subnets as a item level targeting

Check below post for item level targeting
Check below post for creating file GP preference item

LVL 23

Expert Comment

ID: 39931902
You did ask about S & S  and I truly believe you need to setup S & S no matter what, no matter how simple your topology is.


With that you can target sites wide settings.
I was once told you should build your AD Structure the way you plan on managing it.
So if you want to you can ignore S & S and manage it via OU structures and build your hierarchy  accordingly.

I used to have a OU structure as Office, Department, Computer or User.
It was revamped, but about a year in,  the revamp did not meet our needs. That lead to a modification through out the last couple of years.  

I would recommend testing with all methods.
If you do not have a S & S setup I would set one up and see how you can control the management.


Everything above is as well valid and logical setups.

From what you are asking it seems like setting up S & S w/ linked GPO's will meet your needs.
LVL 38

Accepted Solution

Mahesh earned 2000 total points
ID: 39932258
Also if you have XP machines, you need to apply below patch on XP so that it can work with GP Preferences

Note that applying GPOs on AD Site level required careful planning and in below circumstances its not good option
If you have multi domain environment, in that case any applied site policy will apply to other domains DCs in same site as well which is undesired
If you have Hub and spoke topology, in that case most of the locations authenticates \ reports to Hub site and if branch requirements are different, then applying GPOs to site level will not help
Also, your site to subnet mapping should be perfect, if it is not, then it will create mess

Also if you are roaming users across sites, then they will get particular site settings which may not be required
This is due to subnet mapping and applicable to GP preferences subnet mapping OR site level GPOs as well

That is why it is recommended to setup AD security groups with required computers as member and create multiple GPOs with required settings and use GPO security filtering method so that bunch of computers will get only desired settings no matter even if they are roaming users
In that case you don't need to use Item level targeting for GP preferences
Check below excellent article


Author Comment

ID: 39933026

This statement confuses me "Add each location computers to respective Global groups".

How do I know what systems are at each location?
LVL 38

Expert Comment

ID: 39934141
If you are following proper naming convention per location, then its possible to segregate computers of each location

Other wise there is no simple way to collect this information

If you have location admins, you can ask them list of computers to each locations from their inventory

LVL 23

Expert Comment

ID: 39934449
Are they segmented with different Subnets that you can query and then do your cleanup using Powershell.

This is a basic Idea:

Import-Module activedirectory
Get-ADComputer -Filter  'operatingSystem -like  "*Server*"' -Properties IPv4Address | ?{$_.IPv4Address -like '192.168.91.*'} | Move-ADObject -TargetPath 'OU=VDI,OU=Production,OU=Servers,OU=FLH,DC=XXX,DC=local' |Ft Name,IPv4Address -AutoSize

Open in new window


Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question