We help IT Professionals succeed at work.

Been testing with a GPO to deploy a certificate with a TEST OU. How would I apply it to Production so that all machines reecive the GPO?

314 Views
Last Modified: 2018-05-24
I've been successfully testing a certificate deployment to add a certificate into trusted root on a user's machine with a TEST OU I've created and moving certain machines to it. This apply to computers rather than user accounts.

2017-04-26_13-46-07.jpg
Now it's time to apply this to all our corp user computers  within our domain. Just need to understand a few things. See screenshot

2017-04-26_13-49-58.jpg

Based on the screenshot above, our corp users computers we put in the Managed Computers OU. Is that where I should create the GPO?  

After creating the GPO, under Security Filtering , do I leave Authenticated Users selected, and add Domain Computers? Again, this GPO is computer based.

2017-04-26_14-02-03.jpg
I noticed that during TESTING, although successful, the GPO never fully applied until I had to do a gpoupdate /force  command on the TEST user's machine. Even giving it a full day, I still had to force it. Shouldn't it apply to user's machine automatically after a few minutes or hours? I know all our DC's are replicated. Could that be the reason why? I'm just hoping I dont have to do a gpupdate /force for all users because that is not feasible.
Comment
Watch Question

Ben Personick (Previously QCubed)Lead SaaS Infrastructure Engineer
CERTIFIED EXPERT

Commented:
"computer configuration" settings are fickle.

Normally they are only applied at startup, but new settings should be applied to matching computers within 120 minutes.

  However quite often I have found a lot of computer setting seem to require you to either need to reboot or run a GPUpdate/force in my experience on a lot if not all of your computers. (PITA).

That said, basically just link the GPO to the root, set it to enforce, and set security filtering to "Authenticated users" and you should be good to go.

Note: I seem to find that when I apply GPOs by WMI filter even the computer settings GPOs seem to be enacted, but it may just be the settings I chose ti change when I was doing it that way are not the kind that requires the force.
yo_beeDirector of Information Technology
CERTIFIED EXPERT

Commented:
The setting you are looking to apply should not need a /force or an /boot

Move the GPO to your highest level in the hierarchy where your production machines sit and have it apply to only authenticated user. There is no need to apply any other security.

Do a RSOP Before and After  you run gpupdate /target:computer.

Do you have a 2012 DC?  You can run an update against any OU.

Powershell:
https://technet.microsoft.com/en-us/library/hh967455(v=wps.630).aspx

GPMC:
https://www.google.com/amp/s/www.petri.com/force-remote-group-policy-update-gpmc/amp

Note: do this during off hours. Computers will reboot.

You can schedule a PS script to run at 3:00 am

Author

Commented:
Yo_bee,

When you say "Move the GPO to your highest level in the hierarchy", in my case, it would be the OU in my screen shot that is Managed Computers right? So setting the security to Authenticated users, the GPO will apply? Even if it is a computer setting?
Lead SaaS Infrastructure Engineer
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
yo_beeDirector of Information Technology
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Author

Commented:
Thanks. The both of you were a lot of help.
Ben Personick (Previously QCubed)Lead SaaS Infrastructure Engineer
CERTIFIED EXPERT

Commented:
Glad to help! :)