How to target systems in different regions

Posted on 2014-03-15
Last Modified: 2014-03-28
I have to push out a jpg file to for enabling a login banner. I have this working using a gpo to create 2 folders and copy the jpg.

Now I've been told that a different banner needs to be pushed to systems in different regions, i.e. france, china, etc.

Our workstations are in 1 ou, all 8000 of them. so is there a way to target system based on where they reside and be able to push the jpg file to?

Not sure is the subnets that are defined for the site in "sites and services" can be use.

Any thoughts on this?
Question by:rdefino
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
LVL 29

Expert Comment

ID: 39931601
Create a sub OU for each region and apply the group policy to each.  That's the purpose of having OUs.

Author Comment

ID: 39931604
so move the systems into the new ou's?
LVL 16

Expert Comment

by:Dirk Mare
ID: 39931605
You can create an GPO based on sites and services..

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.


Author Comment

ID: 39931611

This is what I was hopejng, but I cannot find how to tie a particular gpo to a site.
LVL 16

Expert Comment

by:Dirk Mare
ID: 39931628
In Group Policy Management, create your new policy, scroll down to sites and link your newly created policy to the site.

LVL 37

Expert Comment

ID: 39931785
Do not create site based GPOs for this requirement if you have multi domain environment and if you are having hub and spoke topology (I guess it is)

You can achieve this Two way itself with standard GPO linked to OU

The steps
Create Global security groups representing to each location
Add each location computers to respective Global groups or add all locations computers where you required same policy
Do not move computers from current OU
Now create new GPO with required settings and apply it on the same OU, only on GPO scope tab in GPMC navigate to security filtering remove authenticated users and add there respective Global security group created above
Now create multiple GPO with required setting and apply respective Global security groups there

This will ensure that Policy will apply to only those computers in global group

The other way is to use GP preferences if you have 2008 \ 2008 r2 DCs where you can push required policy on computer subnet basis in Item level targeting
You can use User configuration \ preferences OR Computer Configuration \ preferences file item in update mode and can select item level targeting and select subnet range for that particular file
The advantage of this method is, you will required single GPO applied to OU and add multiple files there in update mode with subnets as a item level targeting

Check below post for item level targeting
Check below post for creating file GP preference item

LVL 23

Expert Comment

ID: 39931902
You did ask about S & S  and I truly believe you need to setup S & S no matter what, no matter how simple your topology is.

With that you can target sites wide settings.
I was once told you should build your AD Structure the way you plan on managing it.
So if you want to you can ignore S & S and manage it via OU structures and build your hierarchy  accordingly.

I used to have a OU structure as Office, Department, Computer or User.
It was revamped, but about a year in,  the revamp did not meet our needs. That lead to a modification through out the last couple of years.  

I would recommend testing with all methods.
If you do not have a S & S setup I would set one up and see how you can control the management.

Everything above is as well valid and logical setups.

From what you are asking it seems like setting up S & S w/ linked GPO's will meet your needs.
LVL 37

Accepted Solution

Mahesh earned 500 total points
ID: 39932258
Also if you have XP machines, you need to apply below patch on XP so that it can work with GP Preferences

Note that applying GPOs on AD Site level required careful planning and in below circumstances its not good option
If you have multi domain environment, in that case any applied site policy will apply to other domains DCs in same site as well which is undesired
If you have Hub and spoke topology, in that case most of the locations authenticates \ reports to Hub site and if branch requirements are different, then applying GPOs to site level will not help
Also, your site to subnet mapping should be perfect, if it is not, then it will create mess

Also if you are roaming users across sites, then they will get particular site settings which may not be required
This is due to subnet mapping and applicable to GP preferences subnet mapping OR site level GPOs as well

That is why it is recommended to setup AD security groups with required computers as member and create multiple GPOs with required settings and use GPO security filtering method so that bunch of computers will get only desired settings no matter even if they are roaming users
In that case you don't need to use Item level targeting for GP preferences
Check below excellent article


Author Comment

ID: 39933026

This statement confuses me "Add each location computers to respective Global groups".

How do I know what systems are at each location?
LVL 37

Expert Comment

ID: 39934141
If you are following proper naming convention per location, then its possible to segregate computers of each location

Other wise there is no simple way to collect this information

If you have location admins, you can ask them list of computers to each locations from their inventory

LVL 23

Expert Comment

ID: 39934449
Are they segmented with different Subnets that you can query and then do your cleanup using Powershell.

This is a basic Idea:

Import-Module activedirectory
Get-ADComputer -Filter  'operatingSystem -like  "*Server*"' -Properties IPv4Address | ?{$_.IPv4Address -like '192.168.91.*'} | Move-ADObject -TargetPath 'OU=VDI,OU=Production,OU=Servers,OU=FLH,DC=XXX,DC=local' |Ft Name,IPv4Address -AutoSize

Open in new window


Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question