How to target systems in different regions

Posted on 2014-03-15
Medium Priority
Last Modified: 2014-03-28
I have to push out a jpg file to for enabling a login banner. I have this working using a gpo to create 2 folders and copy the jpg.

Now I've been told that a different banner needs to be pushed to systems in different regions, i.e. france, china, etc.

Our workstations are in 1 ou, all 8000 of them. so is there a way to target system based on where they reside and be able to push the jpg file to?

Not sure is the subnets that are defined for the site in "sites and services" can be use.

Any thoughts on this?
Question by:rdefino
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
LVL 30

Expert Comment

ID: 39931601
Create a sub OU for each region and apply the group policy to each.  That's the purpose of having OUs.

Author Comment

ID: 39931604
so move the systems into the new ou's?
LVL 16

Expert Comment

by:Dirk Mare
ID: 39931605
You can create an GPO based on sites and services..

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more


Author Comment

ID: 39931611

This is what I was hopejng, but I cannot find how to tie a particular gpo to a site.
LVL 16

Expert Comment

by:Dirk Mare
ID: 39931628
In Group Policy Management, create your new policy, scroll down to sites and link your newly created policy to the site.

LVL 37

Expert Comment

ID: 39931785
Do not create site based GPOs for this requirement if you have multi domain environment and if you are having hub and spoke topology (I guess it is)

You can achieve this Two way itself with standard GPO linked to OU

The steps
Create Global security groups representing to each location
Add each location computers to respective Global groups or add all locations computers where you required same policy
Do not move computers from current OU
Now create new GPO with required settings and apply it on the same OU, only on GPO scope tab in GPMC navigate to security filtering remove authenticated users and add there respective Global security group created above
Now create multiple GPO with required setting and apply respective Global security groups there

This will ensure that Policy will apply to only those computers in global group

The other way is to use GP preferences if you have 2008 \ 2008 r2 DCs where you can push required policy on computer subnet basis in Item level targeting
You can use User configuration \ preferences OR Computer Configuration \ preferences file item in update mode and can select item level targeting and select subnet range for that particular file
The advantage of this method is, you will required single GPO applied to OU and add multiple files there in update mode with subnets as a item level targeting

Check below post for item level targeting
Check below post for creating file GP preference item

LVL 23

Expert Comment

ID: 39931902
You did ask about S & S  and I truly believe you need to setup S & S no matter what, no matter how simple your topology is.


With that you can target sites wide settings.
I was once told you should build your AD Structure the way you plan on managing it.
So if you want to you can ignore S & S and manage it via OU structures and build your hierarchy  accordingly.

I used to have a OU structure as Office, Department, Computer or User.
It was revamped, but about a year in,  the revamp did not meet our needs. That lead to a modification through out the last couple of years.  

I would recommend testing with all methods.
If you do not have a S & S setup I would set one up and see how you can control the management.


Everything above is as well valid and logical setups.

From what you are asking it seems like setting up S & S w/ linked GPO's will meet your needs.
LVL 37

Accepted Solution

Mahesh earned 2000 total points
ID: 39932258
Also if you have XP machines, you need to apply below patch on XP so that it can work with GP Preferences

Note that applying GPOs on AD Site level required careful planning and in below circumstances its not good option
If you have multi domain environment, in that case any applied site policy will apply to other domains DCs in same site as well which is undesired
If you have Hub and spoke topology, in that case most of the locations authenticates \ reports to Hub site and if branch requirements are different, then applying GPOs to site level will not help
Also, your site to subnet mapping should be perfect, if it is not, then it will create mess

Also if you are roaming users across sites, then they will get particular site settings which may not be required
This is due to subnet mapping and applicable to GP preferences subnet mapping OR site level GPOs as well

That is why it is recommended to setup AD security groups with required computers as member and create multiple GPOs with required settings and use GPO security filtering method so that bunch of computers will get only desired settings no matter even if they are roaming users
In that case you don't need to use Item level targeting for GP preferences
Check below excellent article


Author Comment

ID: 39933026

This statement confuses me "Add each location computers to respective Global groups".

How do I know what systems are at each location?
LVL 37

Expert Comment

ID: 39934141
If you are following proper naming convention per location, then its possible to segregate computers of each location

Other wise there is no simple way to collect this information

If you have location admins, you can ask them list of computers to each locations from their inventory

LVL 23

Expert Comment

ID: 39934449
Are they segmented with different Subnets that you can query and then do your cleanup using Powershell.

This is a basic Idea:

Import-Module activedirectory
Get-ADComputer -Filter  'operatingSystem -like  "*Server*"' -Properties IPv4Address | ?{$_.IPv4Address -like '192.168.91.*'} | Move-ADObject -TargetPath 'OU=VDI,OU=Production,OU=Servers,OU=FLH,DC=XXX,DC=local' |Ft Name,IPv4Address -AutoSize

Open in new window


Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses
Course of the Month10 days, 19 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question