Solved

How to target systems in different regions

Posted on 2014-03-15
11
311 Views
Last Modified: 2014-03-28
I have to push out a jpg file to for enabling a login banner. I have this working using a gpo to create 2 folders and copy the jpg.

Now I've been told that a different banner needs to be pushed to systems in different regions, i.e. france, china, etc.

Our workstations are in 1 ou, all 8000 of them. so is there a way to target system based on where they reside and be able to push the jpg file to?

Not sure is the subnets that are defined for the site in "sites and services" can be use.

Any thoughts on this?
0
Comment
Question by:rdefino
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 29

Expert Comment

by:serialband
ID: 39931601
Create a sub OU for each region and apply the group policy to each.  That's the purpose of having OUs.
0
 

Author Comment

by:rdefino
ID: 39931604
so move the systems into the new ou's?
0
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39931605
You can create an GPO based on sites and services..
http://technet.microsoft.com/en-us/library/cc739283(v=ws.10).aspx

DirkMare
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:rdefino
ID: 39931611
Dirkmare,

This is what I was hopejng, but I cannot find how to tie a particular gpo to a site.
0
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39931628
In Group Policy Management, create your new policy, scroll down to sites and link your newly created policy to the site.

DirkMare
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39931785
Do not create site based GPOs for this requirement if you have multi domain environment and if you are having hub and spoke topology (I guess it is)

You can achieve this Two way itself with standard GPO linked to OU

The steps
Create Global security groups representing to each location
Add each location computers to respective Global groups or add all locations computers where you required same policy
Do not move computers from current OU
Now create new GPO with required settings and apply it on the same OU, only on GPO scope tab in GPMC navigate to security filtering remove authenticated users and add there respective Global security group created above
Now create multiple GPO with required setting and apply respective Global security groups there

This will ensure that Policy will apply to only those computers in global group

The other way is to use GP preferences if you have 2008 \ 2008 r2 DCs where you can push required policy on computer subnet basis in Item level targeting
You can use User configuration \ preferences OR Computer Configuration \ preferences file item in update mode and can select item level targeting and select subnet range for that particular file
The advantage of this method is, you will required single GPO applied to OU and add multiple files there in update mode with subnets as a item level targeting

Check below post for item level targeting
http://nexus.realtimepublishers.com/content/?tip=creating-targeting-and-applying-group-policy-preferences
Check below post for creating file GP preference item
http://www.grouppolicy.biz/2010/02/group-policy-setting-of-the-week-13-files/
http://technet.microsoft.com/en-us/library/cc772536.aspx

Mahesh
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 39931902
You did ask about S & S  and I truly believe you need to setup S & S no matter what, no matter how simple your topology is.

http://technet.microsoft.com/en-us/library/cc730868.aspx

With that you can target sites wide settings.
I was once told you should build your AD Structure the way you plan on managing it.
So if you want to you can ignore S & S and manage it via OU structures and build your hierarchy  accordingly.

I used to have a OU structure as Office, Department, Computer or User.
It was revamped, but about a year in,  the revamp did not meet our needs. That lead to a modification through out the last couple of years.  

I would recommend testing with all methods.
If you do not have a S & S setup I would set one up and see how you can control the management.

http://technet.microsoft.com/en-us/library/cc738954(v=ws.10).aspx

Everything above is as well valid and logical setups.

From what you are asking it seems like setting up S & S w/ linked GPO's will meet your needs.
img1.png
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39932258
Also if you have XP machines, you need to apply below patch on XP so that it can work with GP Preferences
http://www.microsoft.com/en-in/download/details.aspx?id=3628

Note that applying GPOs on AD Site level required careful planning and in below circumstances its not good option
If you have multi domain environment, in that case any applied site policy will apply to other domains DCs in same site as well which is undesired
If you have Hub and spoke topology, in that case most of the locations authenticates \ reports to Hub site and if branch requirements are different, then applying GPOs to site level will not help
Also, your site to subnet mapping should be perfect, if it is not, then it will create mess

Also if you are roaming users across sites, then they will get particular site settings which may not be required
This is due to subnet mapping and applicable to GP preferences subnet mapping OR site level GPOs as well

That is why it is recommended to setup AD security groups with required computers as member and create multiple GPOs with required settings and use GPO security filtering method so that bunch of computers will get only desired settings no matter even if they are roaming users
In that case you don't need to use Item level targeting for GP preferences
Check below excellent article
http://blogs.technet.com/b/grouppolicy/archive/2009/07/30/security-filtering-wmi-filtering-and-item-level-targeting-in-group-policy-preferences.aspx

Mahesh
0
 

Author Comment

by:rdefino
ID: 39933026
Mahesh,

This statement confuses me "Add each location computers to respective Global groups".

How do I know what systems are at each location?
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39934141
If you are following proper naming convention per location, then its possible to segregate computers of each location

Other wise there is no simple way to collect this information

If you have location admins, you can ask them list of computers to each locations from their inventory

Mahesh
0
 
LVL 23

Expert Comment

by:yo_bee
ID: 39934449
Are they segmented with different Subnets that you can query and then do your cleanup using Powershell.

This is a basic Idea:

Import-Module activedirectory
Get-ADComputer -Filter  'operatingSystem -like  "*Server*"' -Properties IPv4Address | ?{$_.IPv4Address -like '192.168.91.*'} | Move-ADObject -TargetPath 'OU=VDI,OU=Production,OU=Servers,OU=FLH,DC=XXX,DC=local' |Ft Name,IPv4Address -AutoSize

Open in new window

0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. Theā€¦
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question