GPO Setup and Filtering
Hello -
I am looking for a way to push GPO software installation policy to only specific computers. Assign the software installation policy to the machine, as opposed to the user. I have a multi-domain (forest) running server 2012 R2 and all OU structure is the same except obviously domain name.
Example;
domain1.local
- Distro groups (OU)
- Fax Server Groups (OU)
- location Servers (OU)
- Workstations MAC (OU)
- Workstations PC (OU)
- Domain Controllers (OU)
- Logon Account All (OU)
The systems are located within our existing computer OU and user OU. Now, specific computer accounts will be assigned GPO modulex86 and GPO modulex64. I am using SCCM to identify my computers office version (x86 or x64). Once I compile a list, the idea is to push out the proper GPO to them. This is where I get stuck. What is the best way to accomplish this? Should I modify GPO delegation and only allow group of computers? This means I will have to remove computer accounts from existing OU and not sure if that is wise as we have them organized within specific OUs right now.
Do I use WMI Filtering? If so, how?
Hope this makes sense. I'd like to understand how to organize these GPOs without complicating the system. I appreciate your help!
nimdatx
I am looking for a way to push GPO software installation policy to only specific computers. Assign the software installation policy to the machine, as opposed to the user. I have a multi-domain (forest) running server 2012 R2 and all OU structure is the same except obviously domain name.
Example;
domain1.local
- Distro groups (OU)
- Fax Server Groups (OU)
- location Servers (OU)
- Workstations MAC (OU)
- Workstations PC (OU)
- Domain Controllers (OU)
- Logon Account All (OU)
The systems are located within our existing computer OU and user OU. Now, specific computer accounts will be assigned GPO modulex86 and GPO modulex64. I am using SCCM to identify my computers office version (x86 or x64). Once I compile a list, the idea is to push out the proper GPO to them. This is where I get stuck. What is the best way to accomplish this? Should I modify GPO delegation and only allow group of computers? This means I will have to remove computer accounts from existing OU and not sure if that is wise as we have them organized within specific OUs right now.
Do I use WMI Filtering? If so, how?
Hope this makes sense. I'd like to understand how to organize these GPOs without complicating the system. I appreciate your help!
nimdatx
ASKER
Create a new Universal Distribution Group in AD, and add the computer accounts which are x64 or x86 to it.
Done, however I created a Universal Security Group as a Dist group did not work. Added my test system into that group and set it as Security Filter 'apply GPO' and Authenticated is set for 'read' and I see GPO applied (gpresult /scope Computer -v).
Question: The old Admin created a test x86 GPO, however he applied to OU (top level) which is where some of the computer accounts are located. Now, the old admin also has 'Domain Computers', from all three other domains listed in SECURITY FILTERING. I think his thoughts are this is the only way this policy will affect any other computers that log on to any of the other domains. Is this the correct way to do it, even if I have multiple domains within a forest?
THANKS!
nimdatx
Done, however I created a Universal Security Group as a Dist group did not work. Added my test system into that group and set it as Security Filter 'apply GPO' and Authenticated is set for 'read' and I see GPO applied (gpresult /scope Computer -v).
Question: The old Admin created a test x86 GPO, however he applied to OU (top level) which is where some of the computer accounts are located. Now, the old admin also has 'Domain Computers', from all three other domains listed in SECURITY FILTERING. I think his thoughts are this is the only way this policy will affect any other computers that log on to any of the other domains. Is this the correct way to do it, even if I have multiple domains within a forest?
THANKS!
nimdatx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I added a client from another domain into the group I created and GPO applied correctly. So for now I will go with this solution. I truly appreciate all your help.
ASKER
Thank you!
e.g. IF "%PROCESSOR_ARCHITECTURE%"
But you would need someone with time to go through that to explain it.
As for the GPO you can target machine names. Instead of allowing "Authenticated users" you remove that group from the scope.
Create a new Universal Distribution Group in AD, and add the computer accounts which are x64 or x86 to it.
Set the scope of the GPO to that target group, and then under security>>delegation>>adva
This seems like an admin overhead to me however, as you will need to continually keep that target group up to date, which is a manual process.
So for that reason are more simplistic approach is to write a script which looks for processor architecture, and based on that, deploy either 32 or 64bit software from x source.
There might be other methods. But this is what I would consider.
My scripts are usually "Look for CPU" If x64 look whether App is installed in x folder.
Skip to required step in script depending on result etc etc.
How you write it depends on your requirements and script knowledge plus script preference.
Not sure if that might be an alternate idea which could work for you.