Solved

How to target systems in different regions

Posted on 2014-03-15
11
305 Views
Last Modified: 2014-03-28
I have to push out a jpg file to for enabling a login banner. I have this working using a gpo to create 2 folders and copy the jpg.

Now I've been told that a different banner needs to be pushed to systems in different regions, i.e. france, china, etc.

Our workstations are in 1 ou, all 8000 of them. so is there a way to target system based on where they reside and be able to push the jpg file to?

Not sure is the subnets that are defined for the site in "sites and services" can be use.

Any thoughts on this?
0
Comment
Question by:rdefino
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 27

Expert Comment

by:serialband
ID: 39931601
Create a sub OU for each region and apply the group policy to each.  That's the purpose of having OUs.
0
 

Author Comment

by:rdefino
ID: 39931604
so move the systems into the new ou's?
0
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39931605
You can create an GPO based on sites and services..
http://technet.microsoft.com/en-us/library/cc739283(v=ws.10).aspx

DirkMare
0
 

Author Comment

by:rdefino
ID: 39931611
Dirkmare,

This is what I was hopejng, but I cannot find how to tie a particular gpo to a site.
0
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 39931628
In Group Policy Management, create your new policy, scroll down to sites and link your newly created policy to the site.

DirkMare
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39931785
Do not create site based GPOs for this requirement if you have multi domain environment and if you are having hub and spoke topology (I guess it is)

You can achieve this Two way itself with standard GPO linked to OU

The steps
Create Global security groups representing to each location
Add each location computers to respective Global groups or add all locations computers where you required same policy
Do not move computers from current OU
Now create new GPO with required settings and apply it on the same OU, only on GPO scope tab in GPMC navigate to security filtering remove authenticated users and add there respective Global security group created above
Now create multiple GPO with required setting and apply respective Global security groups there

This will ensure that Policy will apply to only those computers in global group

The other way is to use GP preferences if you have 2008 \ 2008 r2 DCs where you can push required policy on computer subnet basis in Item level targeting
You can use User configuration \ preferences OR Computer Configuration \ preferences file item in update mode and can select item level targeting and select subnet range for that particular file
The advantage of this method is, you will required single GPO applied to OU and add multiple files there in update mode with subnets as a item level targeting

Check below post for item level targeting
http://nexus.realtimepublishers.com/content/?tip=creating-targeting-and-applying-group-policy-preferences
Check below post for creating file GP preference item
http://www.grouppolicy.biz/2010/02/group-policy-setting-of-the-week-13-files/
http://technet.microsoft.com/en-us/library/cc772536.aspx

Mahesh
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 39931902
You did ask about S & S  and I truly believe you need to setup S & S no matter what, no matter how simple your topology is.

http://technet.microsoft.com/en-us/library/cc730868.aspx

With that you can target sites wide settings.
I was once told you should build your AD Structure the way you plan on managing it.
So if you want to you can ignore S & S and manage it via OU structures and build your hierarchy  accordingly.

I used to have a OU structure as Office, Department, Computer or User.
It was revamped, but about a year in,  the revamp did not meet our needs. That lead to a modification through out the last couple of years.  

I would recommend testing with all methods.
If you do not have a S & S setup I would set one up and see how you can control the management.

http://technet.microsoft.com/en-us/library/cc738954(v=ws.10).aspx

Everything above is as well valid and logical setups.

From what you are asking it seems like setting up S & S w/ linked GPO's will meet your needs.
img1.png
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39932258
Also if you have XP machines, you need to apply below patch on XP so that it can work with GP Preferences
http://www.microsoft.com/en-in/download/details.aspx?id=3628

Note that applying GPOs on AD Site level required careful planning and in below circumstances its not good option
If you have multi domain environment, in that case any applied site policy will apply to other domains DCs in same site as well which is undesired
If you have Hub and spoke topology, in that case most of the locations authenticates \ reports to Hub site and if branch requirements are different, then applying GPOs to site level will not help
Also, your site to subnet mapping should be perfect, if it is not, then it will create mess

Also if you are roaming users across sites, then they will get particular site settings which may not be required
This is due to subnet mapping and applicable to GP preferences subnet mapping OR site level GPOs as well

That is why it is recommended to setup AD security groups with required computers as member and create multiple GPOs with required settings and use GPO security filtering method so that bunch of computers will get only desired settings no matter even if they are roaming users
In that case you don't need to use Item level targeting for GP preferences
Check below excellent article
http://blogs.technet.com/b/grouppolicy/archive/2009/07/30/security-filtering-wmi-filtering-and-item-level-targeting-in-group-policy-preferences.aspx

Mahesh
0
 

Author Comment

by:rdefino
ID: 39933026
Mahesh,

This statement confuses me "Add each location computers to respective Global groups".

How do I know what systems are at each location?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39934141
If you are following proper naming convention per location, then its possible to segregate computers of each location

Other wise there is no simple way to collect this information

If you have location admins, you can ask them list of computers to each locations from their inventory

Mahesh
0
 
LVL 21

Expert Comment

by:yo_bee
ID: 39934449
Are they segmented with different Subnets that you can query and then do your cleanup using Powershell.

This is a basic Idea:

Import-Module activedirectory
Get-ADComputer -Filter  'operatingSystem -like  "*Server*"' -Properties IPv4Address | ?{$_.IPv4Address -like '192.168.91.*'} | Move-ADObject -TargetPath 'OU=VDI,OU=Production,OU=Servers,OU=FLH,DC=XXX,DC=local' |Ft Name,IPv4Address -AutoSize

Open in new window

0

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
ACTIVE DIRECTORY 4 25
Anyway to get back an old mirror? 3 18
Secondary DC 3 17
Problem with Powershell 15 0
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now