Link to home
Start Free TrialLog in
Avatar of joukiejouk
joukiejouk

asked on

Been testing with a GPO to deploy a certificate with a TEST OU. How would I apply it to Production so that all machines reecive the GPO?

I've been successfully testing a certificate deployment to add a certificate into trusted root on a user's machine with a TEST OU I've created and moving certain machines to it. This apply to computers rather than user accounts.

User generated image
Now it's time to apply this to all our corp user computers  within our domain. Just need to understand a few things. See screenshot

User generated image

Based on the screenshot above, our corp users computers we put in the Managed Computers OU. Is that where I should create the GPO?  

After creating the GPO, under Security Filtering , do I leave Authenticated Users selected, and add Domain Computers? Again, this GPO is computer based.

User generated image
I noticed that during TESTING, although successful, the GPO never fully applied until I had to do a gpoupdate /force  command on the TEST user's machine. Even giving it a full day, I still had to force it. Shouldn't it apply to user's machine automatically after a few minutes or hours? I know all our DC's are replicated. Could that be the reason why? I'm just hoping I dont have to do a gpupdate /force for all users because that is not feasible.
Avatar of Ben Personick (Previously QCubed)
Ben Personick (Previously QCubed)
Flag of United States of America image

"computer configuration" settings are fickle.

Normally they are only applied at startup, but new settings should be applied to matching computers within 120 minutes.

  However quite often I have found a lot of computer setting seem to require you to either need to reboot or run a GPUpdate/force in my experience on a lot if not all of your computers. (PITA).

That said, basically just link the GPO to the root, set it to enforce, and set security filtering to "Authenticated users" and you should be good to go.

Note: I seem to find that when I apply GPOs by WMI filter even the computer settings GPOs seem to be enacted, but it may just be the settings I chose ti change when I was doing it that way are not the kind that requires the force.
The setting you are looking to apply should not need a /force or an /boot

Move the GPO to your highest level in the hierarchy where your production machines sit and have it apply to only authenticated user. There is no need to apply any other security.

Do a RSOP Before and After  you run gpupdate /target:computer.

Do you have a 2012 DC?  You can run an update against any OU.

Powershell:
https://technet.microsoft.com/en-us/library/hh967455(v=wps.630).aspx

GPMC:
https://www.google.com/amp/s/www.petri.com/force-remote-group-policy-update-gpmc/amp

Note: do this during off hours. Computers will reboot.

You can schedule a PS script to run at 3:00 am
Avatar of joukiejouk
joukiejouk

ASKER

Yo_bee,

When you say "Move the GPO to your highest level in the hierarchy", in my case, it would be the OU in my screen shot that is Managed Computers right? So setting the security to Authenticated users, the GPO will apply? Even if it is a computer setting?
ASKER CERTIFIED SOLUTION
Avatar of Ben Personick (Previously QCubed)
Ben Personick (Previously QCubed)
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks. The both of you were a lot of help.