Been testing with a GPO to deploy a certificate with a TEST OU. How would I apply it to Production so that all machines reecive the GPO?

joukiejouk used Ask the Experts™
I've been successfully testing a certificate deployment to add a certificate into trusted root on a user's machine with a TEST OU I've created and moving certain machines to it. This apply to computers rather than user accounts.

Now it's time to apply this to all our corp user computers  within our domain. Just need to understand a few things. See screenshot


Based on the screenshot above, our corp users computers we put in the Managed Computers OU. Is that where I should create the GPO?  

After creating the GPO, under Security Filtering , do I leave Authenticated Users selected, and add Domain Computers? Again, this GPO is computer based.

I noticed that during TESTING, although successful, the GPO never fully applied until I had to do a gpoupdate /force  command on the TEST user's machine. Even giving it a full day, I still had to force it. Shouldn't it apply to user's machine automatically after a few minutes or hours? I know all our DC's are replicated. Could that be the reason why? I'm just hoping I dont have to do a gpupdate /force for all users because that is not feasible.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Ben Personick (Previously QCubed)Lead SaaS Infrastructure Engineer

"computer configuration" settings are fickle.

Normally they are only applied at startup, but new settings should be applied to matching computers within 120 minutes.

  However quite often I have found a lot of computer setting seem to require you to either need to reboot or run a GPUpdate/force in my experience on a lot if not all of your computers. (PITA).

That said, basically just link the GPO to the root, set it to enforce, and set security filtering to "Authenticated users" and you should be good to go.

Note: I seem to find that when I apply GPOs by WMI filter even the computer settings GPOs seem to be enacted, but it may just be the settings I chose ti change when I was doing it that way are not the kind that requires the force.
yo_beeDirector of Information Technology

The setting you are looking to apply should not need a /force or an /boot

Move the GPO to your highest level in the hierarchy where your production machines sit and have it apply to only authenticated user. There is no need to apply any other security.

Do a RSOP Before and After  you run gpupdate /target:computer.

Do you have a 2012 DC?  You can run an update against any OU.



Note: do this during off hours. Computers will reboot.

You can schedule a PS script to run at 3:00 am



When you say "Move the GPO to your highest level in the hierarchy", in my case, it would be the OU in my screen shot that is Managed Computers right? So setting the security to Authenticated users, the GPO will apply? Even if it is a computer setting?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Lead SaaS Infrastructure Engineer
Hello JoukieJouk,

  Yes, you would put it in "Managed Computers" in that case, I didn't notice your comment that all of the computers you want to target are all in an OU called "Managed Computers" when I read it last night.  (The default 'folder' called "Computers" where they are created on joining the domain is not an OU, which necessitates putting the GPO under the domain root in that case.)

  As Yo-Bee and I both pointed out, yes, "Authenticated users" is the appropriate setting for your security filtering.  (Systems which are domain members count as "Authenticated users" just the same as 'normal' users).

Yobee seems familiar with this setting not needing the force, although he is still recommending you run GPUpdate with a force...  I can;t say I've applied this particular computer setting to know if it does or does not need to be run as a gpupdate /force.

  However I can say in my experience, when computer settings are set up that do not need the force, they usually apply themselves within 120 minutes ( 0 to 90 minutes random stagger + up to 30 minutes due to the refresh interval.)  for instance I have a GPO which creates some shares and applies registry changes, and that does not need to run GP update at all, it simply applies itself.

 So based on this and your experience so far, you will probably need to run GPupdate /force or wait for the systems to be rebooted.
yo_beeDirector of Information Technology
To expand on my comment and Ben's reply

The command that I suggested gpupdate /target:computer will manually kickoff the routine (90 or 120 min cycle) for you to see if this setting works.  If this does work then you can be sure with 100% confidence that all your computers in your domain will get these certs.  If it does not work you will need to try the Powershell or GPMC remote update process if you have a Windows 2012 or higher Domain Controller.

I noticed from your screenshots that  you have a few OU's that have blocked inheritance.  This means that your GPO that is set to the Managed Computers OU will not apply to this OU.  If you wish to have it also apply to the blocked OU you will need to also link it to that one.  You can link to multiple OU's without any issues.

If you are familiar with NTFS security and how it propagates the child folders.  The same holds true for Group Policy unless you block heritance.  If you do that then you will not get any of the GPO's link to OU's that are higher in the hierarchy.


Thanks. The both of you were a lot of help.
Ben Personick (Previously QCubed)Lead SaaS Infrastructure Engineer

Glad to help! :)

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial