| Author | Messages | |
dharding
Posts:26
 | | 08/24/2005 9:40 AM |
| How can I get a GPO to only run on all Windows XP and 2000 Pro. machines
in a domain? WMI Filter is applied to 2000 machines so it'll run on
2000 server if I filter by OS type.
Devon Harding
Windows Systems Engineer
Southern Wine & Spirits - BSG
954-602-2469
-----------------------------------------
__________________________________
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information. If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments. Thank You.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| darren.marelia@xxxx.yyy
| | 08/24/2005 9:53 AM |
| WMI filters aren't processed by Win2K so that won't work on that
platform. Your best bet is probably to put all the XP & win2k machines
in one security group and then security filter the GPO based on that
group (i.e. remove the Authenticated Users ACE from the sec. filter on
that GPO and add the new group with Read and Apply GP permissions).
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 2:40 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] GPO on XP & 2000 Pro
How can I get a GPO to only run on all Windows XP and 2000 Pro. machines
in a domain? WMI Filter is applied to 2000 machines so it'll run on
2000 server if I filter by OS type.
Devon Harding
Windows Systems Engineer
Southern Wine & Spirits - BSG
954-602-2469
-----------------------------------------
__________________________________
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information. If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments. Thank You.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD00000333
Posts:0
| | 08/24/2005 9:57 AM |
| WMI filters don't work for windows 2000 (server or professional). Create
separate Ous for your servers and for your workstations. Link your GP
to the workstation OU.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 4:40 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] GPO on XP & 2000 Pro
How can I get a GPO to only run on all Windows XP and 2000 Pro. machines
in a domain? WMI Filter is applied to 2000 machines so it'll run on
2000 server if I filter by OS type.
Devon Harding
Windows Systems Engineer
Southern Wine & Spirits - BSG
954-602-2469
-----------------------------------------
__________________________________
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information. If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments. Thank You.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| TonyTest
Posts:0
| | 08/24/2005 9:58 AM |
| Is there any reason why you can't put the workstations and servers in
separate OUs and then link the GPO to the OU that contains the
workstations? If this is not possible then you might consider group
filtering, i.e. put all servers in a group and exclude them from the
policy.
Tony
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding, Devon
Sent: Thursday, 25 August 2005 9:40 a.m.
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] GPO on XP & 2000 Pro
How can I get a GPO to only run on all Windows XP and 2000 Pro. machines
in a domain? WMI Filter is applied to 2000 machines so it'll run on
2000 server if I filter by OS type.
Devon Harding
Windows Systems Engineer
Southern Wine & Spirits - BSG
954-602-2469
-----------------------------------------
__________________________________
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information. If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments. Thank You.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
########################################################################
####
This e-mail message has been scanned for Viruses and Content and cleared
by NetIQ MailMarshal at Gen-i Limited
########################################################################
####
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| dharding
Posts:26
| | 08/24/2005 10:08 AM |
| I have over 2000 machines in my computers containers. Is there any
other way?
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 24, 2005 5:53 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro
WMI filters aren't processed by Win2K so that won't work on that
platform. Your best bet is probably to put all the XP & win2k machines
in one security group and then security filter the GPO based on that
group (i.e. remove the Authenticated Users ACE from the sec. filter on
that GPO and add the new group with Read and Apply GP permissions).
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 2:40 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] GPO on XP & 2000 Pro
How can I get a GPO to only run on all Windows XP and 2000 Pro. machines
in a domain? WMI Filter is applied to 2000 machines so it'll run on
2000 server if I filter by OS type.
Devon Harding
Windows Systems Engineer
Southern Wine & Spirits - BSG
954-602-2469
-----------------------------------------
__________________________________
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information. If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments. Thank You.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| rm@xxxx.yyy
| | 08/24/2005 10:19 AM |
| On Wed, 24 Aug 2005 18:04:13 -0400, "Harding, Devon"
said:
> I have over 2000 machines in my computers containers. Is there any
> other way?
It shouldn't take long to pull the servers out by hand and put them into
their own OU. How many servers do you have?
RM
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| hcoleman
Posts:31
| | 08/24/2005 10:21 AM |
| I'd create the Workstations OU and the Servers OU. Then write a script
that looks at each of the machines in the computers container, and based
on what you find in the operatingSystem attribute have the script move
the object to the appropriate OU.
I'd also not leave new computer objects in the computers container.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 4:04 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro
I have over 2000 machines in my computers containers. Is there any
other way?
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 24, 2005 5:53 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro
WMI filters aren't processed by Win2K so that won't work on that
platform. Your best bet is probably to put all the XP & win2k machines
in one security group and then security filter the GPO based on that
group (i.e. remove the Authenticated Users ACE from the sec. filter on
that GPO and add the new group with Read and Apply GP permissions).
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 2:40 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] GPO on XP & 2000 Pro
How can I get a GPO to only run on all Windows XP and 2000 Pro. machines
in a domain? WMI Filter is applied to 2000 machines so it'll run on
2000 server if I filter by OS type.
Devon Harding
Windows Systems Engineer
Southern Wine & Spirits - BSG
954-602-2469
-----------------------------------------
__________________________________
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information. If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments. Thank You.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AARON_VISSER@xxxx.yyy
| | 08/24/2005 10:38 AM |
| Why not just move the servers to a new OU called Servers? and then move the
remaining computers into a new OU called Workstations?
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 3:04 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro
I have over 2000 machines in my computers containers. Is there any
other way?
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 24, 2005 5:53 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro
WMI filters aren't processed by Win2K so that won't work on that
platform. Your best bet is probably to put all the XP & win2k machines
in one security group and then security filter the GPO based on that
group (i.e. remove the Authenticated Users ACE from the sec. filter on
that GPO and add the new group with Read and Apply GP permissions).
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 2:40 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] GPO on XP & 2000 Pro
How can I get a GPO to only run on all Windows XP and 2000 Pro. machines
in a domain? WMI Filter is applied to 2000 machines so it'll run on
2000 server if I filter by OS type.
Devon Harding
Windows Systems Engineer
Southern Wine & Spirits - BSG
954-602-2469
-----------------------------------------
__________________________________
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information. If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments. Thank You.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| darren.marelia@xxxx.yyy
| | 08/24/2005 10:48 AM |
| I suppose its just me but in general I'm opposed to modifying an AD
structure strictly to meet a single need such as this. If there are
overwhelming business reasons to have those machines there in the first
place, then moving them around to accommodate a particular GP problem is
probably not a good idea, because, as we all know, there will be a new
problem that will come along that will have a different set of
requirements. That being said, if you have no particular rhyme or reason
for having computers in the Computers container, then it is very common
to create OUs by machine role, since roles like Server vs. Workstation
typically don't change over time-again, assuming that it meets your
larger business/security/delegation/management requirements.
That is why my first recommendation in this case is to use something
like security group filtering so that you don't have to muck with the
organization of AD.
Darren
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Aaron Visser
Sent: Wednesday, August 24, 2005 3:35 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro
Why not just move the servers to a new OU called Servers? and then move
the remaining computers into a new OU called Workstations?
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 3:04 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro
I have over 2000 machines in my computers containers. Is there any
other way?
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 24, 2005 5:53 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro
WMI filters aren't processed by Win2K so that won't work on that
platform. Your best bet is probably to put all the XP & win2k machines
in one security group and then security filter the GPO based on that
group (i.e. remove the Authenticated Users ACE from the sec. filter on
that GPO and add the new group with Read and Apply GP permissions).
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 2:40 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] GPO on XP & 2000 Pro
How can I get a GPO to only run on all Windows XP and 2000 Pro. machines
in a domain? WMI Filter is applied to 2000 machines so it'll run on
2000 server if I filter by OS type.
Devon Harding
Windows Systems Engineer
Southern Wine & Spirits - BSG
954-602-2469
-----------------------------------------
__________________________________
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information. If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments. Thank You.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| dwells
Posts:39
| | 08/24/2005 10:52 AM |
| Since you now know WMI filters are ignored by 2000, as I see it you have 3
options ... all of which have been suggested in one form or another -
1. Place the Servers in a group and use security filtration to prevent the
GP's application against the group's members
2. Split the workstations and servers into separate OUs
3. Script the application of the policy contents (may or may not be doable
dependent upon what it is the policy in question does)
Isolating the computer accounts from one another by placing them in separate
OUs is my preference since it offers a long-term ease-of-management
advantage ... placing them in security groups will also work perfectly well.
Scripting either of these approaches is not a difficult exercise and could
even be done using 'Saved Queries' and the GUI should you have any uplevel
clients with an uplevel ADMINPAK.
--
Dean Wells
MSEtechnology
* Email: dwells@xxxxxxxxxxxxxxxxx
http://msetechnology.com
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 5:40 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] GPO on XP & 2000 Pro
How can I get a GPO to only run on all Windows XP and 2000 Pro. machines in
a domain? WMI Filter is applied to 2000 machines so it'll run on 2000
server if I filter by OS type.
Devon Harding
Windows Systems Engineer
Southern Wine & Spirits - BSG
954-602-2469
-----------------------------------------
__________________________________
This message and any attachments are solely for the intended recipient and
may contain confidential or privileged information. If you are not the
intended recipient, any disclosure, copying, use or distribution of the
information included in the message and any attachments is prohibited. If
you have received this communication in error, please notify us by reply
e-mail and immediately and permanently delete this message and any
attachments. Thank You.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| rm@xxxx.yyy
| | 08/24/2005 10:57 AM |
| | On Wed, 24 Aug 2005 15:47:10 -0700, "Darren Mar-Elia" said:> I suppose its just me but in general I'm opposed to modifying an AD> structure strictly to meet a single need such as this. If there are> overwhelming business reasons to have those machines there in the first> place, then moving them around to accommodate a particular GP problem is> probably not a good idea, because, as we all know, there will be a new> problem that will come along that will have a different set of> requirements.I can think of plenty of reasons to have a different OU for servers and no good reasons to not have this OU. If I were tasked with the job of admin for this environment, creating and populating a servers OU would be one of my first tasks.The second would be installing GPMC on my PC. :-)RM | | | |
| freddy_hartono@xxxx.yyy
| | 08/25/2005 2:21 AM |
| You can always make a conflicting GPOs and
get those to work (but with limitation)
Example WMI Filter: OS=XP and OS=NON XP
Settings Result Result
GPO 1 WMI
Filter OS=XP Settings
Hide Recycle Bin = no 2000
show XP hide
GPO 2 WMI
Filter OS=NON-XP Hide
Recycle Bin = yes 2000
hide not processed
========================
Final result = Win2000
Hide Recycle Bin = Yes
WinXP
Hide Recycle Bin = No
Limitation = you cant set conflicting for
something that you want to be set as NOT DEFINED.
Hope that helps
Thank you and have a splendid day!
Kind Regards,
Freddy Hartono
Windows Administrator (ADSM/NT Security)
Spherion Technology Group, Singapore
For Agilent Technologies
E-mail: freddy_hartono@xxxxxxxxxxxxxxx
From: Robert Bobel
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On
Behalf Of Robert Bobel
Sent: Thursday, August 25, 2005
8:45 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP
& 2000 Pro
I'm pretty much with Darren on this one.
Keeping it organizad over the long term may end up being a lot of trouble
especially if the envionment of a fairly large size.
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of RM
Sent: Wed 8/24/2005 6:56 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP
& 2000 Pro
On Wed,
24 Aug 2005 15:47:10 -0700, "Darren
Mar-Elia"
said:
> I suppose its just me but in general I'm opposed to modifying an AD
> structure strictly to meet a single need such as this. If there are
> overwhelming business reasons to have those machines there in the first
> place, then moving them around to accommodate a particular GP problem is
> probably not a good idea, because, as we all know, there will be a new
> problem that will come along that will have a different set of
> requirements.
I can
think of plenty of reasons to have a different OU for servers and no good
reasons to not
have this OU. If I were tasked with the job of admin for this
environment, creating and populating a servers OU would be one of my first
tasks.
The
second would be installing GPMC on my PC. :-)
RM | | | |
| CrawfordS
Posts:51
| | 08/25/2005 2:41 AM |
| -----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Coleman, Hunter
Sent: Wednesday, August 24, 2005 5:19 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro
I'd create the Workstations OU and the Servers OU. Then write a script
that looks at each of the machines in the computers container, and based
on what you find in the operatingSystem attribute have the script move
the object to the appropriate OU.
I'd also not leave new computer objects in the computers container.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 4:04 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro
I have over 2000 machines in my computers containers. Is there any
other way?
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 24, 2005 5:53 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro
WMI filters aren't processed by Win2K so that won't work on that
platform. Your best bet is probably to put all the XP & win2k machines
in one security group and then security filter the GPO based on that
group (i.e. remove the Authenticated Users ACE from the sec. filter on
that GPO and add the new group with Read and Apply GP permissions).
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 2:40 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] GPO on XP & 2000 Pro
How can I get a GPO to only run on all Windows XP and 2000 Pro. machines
in a domain? WMI Filter is applied to 2000 machines so it'll run on
2000 server if I filter by OS type.
Devon Harding
Windows Systems Engineer
Southern Wine & Spirits - BSG
954-602-2469
-----------------------------------------
__________________________________
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information. If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments. Thank You.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
Option Explicit
Dim strBase, strFilter, strAttrs, strScope
Dim oConnAD, oRSAD
Dim strOS
Dim strSource, strDestination
Dim strADDN, strADName
Dim oOU
'strOS = "Windows XP Professional"
'strOS = "Windows 2000 Professional"
'strOS = "Windows 2000 Server"
strOS = "Windows Server 2003"
strSource = "LDAP://CN=Computers,DC=evangel,DC=edu"
strDestination = "LDAP://OU=W2K3Servers,DC=evangel,DC=edu"
Set oOU = GetObject(strDestination)
strBase = ";"
strFilter = "(operatingSystem=" & strOS & ");"
strAttrs = "distinguishedName,Name;"
strScope = "subtree"
Set oConnAD = CreateObject("ADODB.Connection")
oConnAD.Provider = "ADsDSOObject"
oConnAD.Open "Active Directory Provider"
Set oRSAD = oConnAD.Execute(strBase & strFilter & strAttrs & strScope)
While Not oRSAD.EOF
strADDN = oRSAD.Fields(0)
strADName = oRSAD.Fields(1)
oOU.MoveHere "LDAP://" & strADDN, "cn=" & strADName
oRSAD.MoveNext
Wend
Set oOU = nothing
oRSAD.Close
Set oRSAD = nothing
oConnAD.Close
Set oConnAD = nothing | | | |
| rm@xxxx.yyy
| | 08/25/2005 4:03 AM |
| | On Wed, 24 Aug 2005 20:45:07 -0400, Ώ]"Robert Bobel" said:> I'm pretty much with Darren on this one. Keeping it organizadover the> long term may end up being a lot of trouble especially if theenvironment of a fairly large size.It's easy when not every Tom, Dick, and Harry can createcomputer accounts. If your org is really that large, you likelyalready have OU's that either follow geographic lines orhierarchical lines. Sub OU's would contain servers or workstations.I cringe at the thought of a Fortune 500 with 30,000 computer accounts in one OU. Do companies really run that way?RM | | | |
| darren.marelia@xxxx.yyy
| | 08/25/2005 6:10 AM |
| Actually my point was less around the initial organization
of AD than around changing an AD design to accomodate short-term requirements. I
am all for the approach you've described below if it meets the administrative
and business needs of an organization.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
RMSent: Wednesday, August 24, 2005 9:03 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] GPO on XP &
2000 Pro
On Wed, 24 Aug 2005 20:45:07 -0400, Ώ]"Robert Bobel"Robert.Bobel@xxxxxxxxx>
said:> I'm pretty much with Darren on this one. Keeping it
organizadover the> long term may end up being a lot of trouble
especially if theenvironment of a fairly large size.It's easy when
not every Tom, Dick, and Harry can createcomputer accounts. If
your org is really that large, you likelyalready have OU's that either
follow geographic lines orhierarchical lines. Sub OU's would contain
servers or workstations.
I cringe at the thought of a Fortune 500 with 30,000 computer accounts in one
OU. Do companies really run that way?
RM | | | |
| RobertBobel
Posts:7
| | 08/25/2005 7:48 AM |
| Most of what I™ve seen is that they first
organize by Geo then by organizationally (or the other way round) then further divide
the objects by roles like Mobile users, Desktops, service accounts, de-provisioned
users etc.
I can™t image organizing by attribute
data like OS. I would think that a system upgrade could potentially cause GPOs
to break and you™d constantly be filtering ADUC on OS to figure out if
you need to move stuff. I suppose scripting it could help¦
From:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of RM
Sent: Thursday, August 25, 2005
12:03 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP
& 2000 Pro
On Wed, 24 Aug 2005 20:45:07 -0400, Ώ]"Robert Bobel"
said:
> I'm pretty much with Darren on this one. Keeping it organizad
over the
> long term may end up being a lot of trouble especially if the
environment of a fairly large size.
It's easy when not every Tom, Dick, and Harry can create
computer accounts. If your org is really that large, you likely
already have OU's that either follow geographic lines or
hierarchical lines. Sub OU's would contain servers or workstations.
I cringe
at the thought of a Fortune 500 with 30,000 computer accounts in one OU.
Do companies really run that way?
RM | | | |
| RobertBobel
Posts:7
| | 08/25/2005 12:47 PM |
| ________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of RM
Sent: Wed 8/24/2005 6:56 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro
On Wed, 24 Aug 2005 15:47:10 -0700, "Darren Mar-Elia"
said:
> I suppose its just me but in general I'm opposed to modifying an AD
> structure strictly to meet a single need such as this. If there are
> overwhelming business reasons to have those machines there in the first
> place, then moving them around to accommodate a particular GP problem is
> probably not a good idea, because, as we all know, there will be a new
> problem that will come along that will have a different set of
> requirements.
I can think of plenty of reasons to have a different OU for servers and no good reasons to not have this OU. If I were tasked with the job of admin for this environment, creating and populating a servers OU would be one of my first tasks.
The second would be installing GPMC on my PC. :-)
RM
> | | | |
| AD000001365
Posts:0
| | 08/26/2005 4:38 AM |
| I would suggest modifying your build for workstations so that in the
sysprep file it joins the appropriate OU so you don't have to worry in
the future about running a script or manually moving new Workstations to
the correct OU.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Crawford, Scott
Sent: Thursday, August 25, 2005 10:03 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro
Here is such a script. Just unrem the correct strOS line that you're
working with and set strSource and strDestination to the correct values
for your environment.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Coleman, Hunter
Sent: Wednesday, August 24, 2005 5:19 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro
I'd create the Workstations OU and the Servers OU. Then write a script
that looks at each of the machines in the computers container, and based
on what you find in the operatingSystem attribute have the script move
the object to the appropriate OU.
I'd also not leave new computer objects in the computers container.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 4:04 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro
I have over 2000 machines in my computers containers. Is there any
other way?
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 24, 2005 5:53 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro
WMI filters aren't processed by Win2K so that won't work on that
platform. Your best bet is probably to put all the XP & win2k machines
in one security group and then security filter the GPO based on that
group (i.e. remove the Authenticated Users ACE from the sec. filter on
that GPO and add the new group with Read and Apply GP permissions).
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 2:40 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] GPO on XP & 2000 Pro
How can I get a GPO to only run on all Windows XP and 2000 Pro. machines
in a domain? WMI Filter is applied to 2000 machines so it'll run on
2000 server if I filter by OS type.
Devon Harding
Windows Systems Engineer
Southern Wine & Spirits - BSG
954-602-2469
-----------------------------------------
__________________________________
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information. If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments. Thank You.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| deji
Posts:152
| | 08/26/2005 4:59 AM |
| That works - IF he has a build process that uses sysprep. Otherwise,
pre-creating the computer account in the appropriate OU before joining it to
the domain will be the way to go from here on.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Cothern Jeff D. Team
EITC
Sent: Fri 8/26/2005 9:35 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro
I would suggest modifying your build for workstations so that in the
sysprep file it joins the appropriate OU so you don't have to worry in
the future about running a script or manually moving new Workstations to
the correct OU.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Crawford, Scott
Sent: Thursday, August 25, 2005 10:03 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro
Here is such a script. Just unrem the correct strOS line that you're
working with and set strSource and strDestination to the correct values
for your environment.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Coleman, Hunter
Sent: Wednesday, August 24, 2005 5:19 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro
I'd create the Workstations OU and the Servers OU. Then write a script
that looks at each of the machines in the computers container, and based
on what you find in the operatingSystem attribute have the script move
the object to the appropriate OU.
I'd also not leave new computer objects in the computers container.
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 4:04 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro
I have over 2000 machines in my computers containers. Is there any
other way?
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia
Sent: Wednesday, August 24, 2005 5:53 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] GPO on XP & 2000 Pro
WMI filters aren't processed by Win2K so that won't work on that
platform. Your best bet is probably to put all the XP & win2k machines
in one security group and then security filter the GPO based on that
group (i.e. remove the Authenticated Users ACE from the sec. filter on
that GPO and add the new group with Read and Apply GP permissions).
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Harding, Devon
Sent: Wednesday, August 24, 2005 2:40 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] GPO on XP & 2000 Pro
How can I get a GPO to only run on all Windows XP and 2000 Pro. machines
in a domain? WMI Filter is applied to 2000 machines so it'll run on
2000 server if I filter by OS type.
Devon Harding
Windows Systems Engineer
Southern Wine & Spirits - BSG
954-602-2469
-----------------------------------------
__________________________________
This message and any attachments are solely for the intended recipient
and may contain confidential or privileged information. If you are not
the intended recipient, any disclosure, copying, use or distribution of
the information included in the message and any attachments is
prohibited. If you have received this communication in error, please
notify us by reply e-mail and immediately and permanently delete this
message and any attachments. Thank You.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|