| Author | Messages | |
myrickt
Posts:0
 | | 02/05/2009 9:23 AM |
| Greetings,
I am getting ready to start a domain consolidation project. As part of
the project scope we need to evaluate the OU design in the original
domain and move computer resources to the new hosting domain. As part
of the migration we are asked to evaluate the number of GPOs due to the
size each GPO takes to replicate. The original domain has a number of
OU's for workstation types that have a GPO linked to each one. In
other words it is pretty complex.
Based on my reading and limited exposure I have a working idea that if
we used the computer prefix as a form of classification, and GPO
filtering, I could reduce the number of GPO's that are assigned based on
type.
I also feel that by using additional WMI filters I could address the OS
and possibly Hardware differences with the need to create to many
classifications.
The end result would be to host as many Workstation Types in a single
OU, link all the workstation GPO's to the container, and use WMI
filtering of the computer name as the qualifier for applying the GPO.
Do you all think this feasible and practical?
Thanks,
| | | |
| myrickt
Posts:0
| | 02/05/2009 10:49 AM |
| Thanks Darren,
Just to be clear, I want to create a limited number of computer name
classifications as prefixes. The GPO would then apply based on the
prefix of the computer name.
Example:
Computer Type is a laptop - Prefix would be CC-LT<ID Code> - computer
GPO's applied that are relative to a laptop (Offline sync of folders,
etc), wireless configurations, etc)
Computer Type is a Stationary Workstation - CC-WS<ID Code> - computer
GPO's applied that are relative to a Workstation Configuration.
Right now we have Admins Creating OUs to house and Linking GPO's based
on different workstation types, installed OS, etc. So we have a number
of OUs and GPOs. On top of that we have to delegate the ability to
allow a large group of people to administer computer object creation
based on OU.
I realize that every workstation will have to process the GPO's linked
to the OU, that Windows 2000 host can't use WMI filtering so will
process all the GPOs no matter what, that I can use security group
filtering and a single OU, etc.
I basically want to see if it is possible and feasible to create a
single process that allows a data administrator to go to a single
location and request an computer object be created and delegated so that
they can join rename, and remove it from the domain. The
computer-prefix to a (pre-determine number of classifications) they
choose will be the determining factor what unique GPO's get applied to
it, while standard GPO are applied to all computer objects.
Thanks,
________________________________
From: Darren Mar-Elia [mailto:xxxxxxxxxxxxxxxx]
Sent: Thursday, February 05, 2009 9:40 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI filter to
apply GPO's based on a Computer Name classification.
Todd-
Its hard to know exactly what's going on from that description. What is
the ultimate goal? You mention size of GPOs but from a replication
perspective, GPOs only replicate changes when something changes in the
GPO, so the amount of data replicating across DC should be fairly
minimal. If the goal is to reduce the size of the GPOs - i.e. break them
up into smaller, more targeted GPOs, then that is certainly do-able but
I'm not clear how granular you need to get. When you start talking about
filtering GPOs using WMI filters for individual computers, I start to
get worried that you're getting too granular. Or am I missing something?
Darren
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Thursday, February 05, 2009 6:02 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Question: Is it possible to use a WMI filter to apply
GPO's based on a Computer Name classification.
Greetings,
I am getting ready to start a domain consolidation project. As part of
the project scope we need to evaluate the OU design in the original
domain and move computer resources to the new hosting domain. As part
of the migration we are asked to evaluate the number of GPOs due to the
size each GPO takes to replicate. The original domain has a number of
OU's for workstation types that have a GPO linked to each one. In
other words it is pretty complex.
Based on my reading and limited exposure I have a working idea that if
we used the computer prefix as a form of classification, and GPO
filtering, I could reduce the number of GPO's that are assigned based on
type.
I also feel that by using additional WMI filters I could address the OS
and possibly Hardware differences with the need to create to many
classifications.
The end result would be to host as many Workstation Types in a single
OU, link all the workstation GPO's to the container, and use WMI
filtering of the computer name as the qualifier for applying the GPO.
Do you all think this feasible and practical?
Thanks,
| | | |
| Darren
Posts:103
| | 02/05/2009 11:07 AM |
| Todd-
That makes sense. I think what you are proposing then is workable if the WMI
filter is flexible enough to accommodate a pattern matching. It seems to me
that this has been presented on this list before (or something like it)
using the LIKE operator and wildcards, so I believe it would work from a
technical perspective. This approach also has the advantage of not requiring
the maintenance of a security group, although if such a process were in
place I would probably prefer that over using a WMI filter. Also just an FYI
that if you have the ability to use GP Preferences for some of your policy,
you have its more granular filtering capabilities that make deploying policy
based on hardware and software criteria much easier. Of course that only
applies to GPP settings.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E]
Sent: Thursday, February 05, 2009 9:38 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI filter to apply
GPO's based on a Computer Name classification.
Thanks Darren,
Just to be clear, I want to create a limited number of computer name
classifications as prefixes. The GPO would then apply based on the prefix
of the computer name.
Example:
Computer Type is a laptop - Prefix would be CC-LT<ID Code> - computer GPO's
applied that are relative to a laptop (Offline sync of folders, etc),
wireless configurations, etc)
Computer Type is a Stationary Workstation - CC-WS<ID Code> - computer GPO's
applied that are relative to a Workstation Configuration.
Right now we have Admins Creating OUs to house and Linking GPO's based on
different workstation types, installed OS, etc. So we have a number of OUs
and GPOs. On top of that we have to delegate the ability to allow a large
group of people to administer computer object creation based on OU.
I realize that every workstation will have to process the GPO's linked to
the OU, that Windows 2000 host can't use WMI filtering so will process all
the GPOs no matter what, that I can use security group filtering and a
single OU, etc.
I basically want to see if it is possible and feasible to create a single
process that allows a data administrator to go to a single location and
request an computer object be created and delegated so that they can join
rename, and remove it from the domain. The computer-prefix to a
(pre-determine number of classifications) they choose will be the
determining factor what unique GPO's get applied to it, while standard GPO
are applied to all computer objects.
Thanks,
_____
From: Darren Mar-Elia [mailto:xxxxxxxxxxxxxxxx]
Sent: Thursday, February 05, 2009 9:40 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI filter to apply
GPO's based on a Computer Name classification.
Todd-
Its hard to know exactly what's going on from that description. What is the
ultimate goal? You mention size of GPOs but from a replication perspective,
GPOs only replicate changes when something changes in the GPO, so the amount
of data replicating across DC should be fairly minimal. If the goal is to
reduce the size of the GPOs - i.e. break them up into smaller, more targeted
GPOs, then that is certainly do-able but I'm not clear how granular you need
to get. When you start talking about filtering GPOs using WMI filters for
individual computers, I start to get worried that you're getting too
granular. Or am I missing something?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E]
Sent: Thursday, February 05, 2009 6:02 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Question: Is it possible to use a WMI filter to apply
GPO's based on a Computer Name classification.
Greetings,
I am getting ready to start a domain consolidation project. As part of the
project scope we need to evaluate the OU design in the original domain and
move computer resources to the new hosting domain. As part of the migration
we are asked to evaluate the number of GPOs due to the size each GPO takes
to replicate. The original domain has a number of OU's for workstation
types that have a GPO linked to each one. In other words it is pretty
complex.
Based on my reading and limited exposure I have a working idea that if we
used the computer prefix as a form of classification, and GPO filtering, I
could reduce the number of GPO's that are assigned based on type.
I also feel that by using additional WMI filters I could address the OS and
possibly Hardware differences with the need to create to many
classifications.
The end result would be to host as many Workstation Types in a single OU,
link all the workstation GPO's to the container, and use WMI filtering of
the computer name as the qualifier for applying the GPO.
Do you all think this feasible and practical?
Thanks,
| | | |
| dn
Posts:6
| | 02/05/2009 11:46 AM |
| I would highly recommend that you read Dan Holme's book Windows
Administrators Resource Kit. In it, he provides a number of scripts for
creating computer objects, as well as scripts to create "shadow groups" -
groups that are created based on specific naming conventions (such as laptop
or desktop). There are some great resources to get you started on this.
Doug
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E]
Sent: Thursday, February 05, 2009 8:38 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI filter to apply
GPO's based on a Computer Name classification.
Thanks Darren,
Just to be clear, I want to create a limited number of computer name
classifications as prefixes. The GPO would then apply based on the prefix
of the computer name.
Example:
Computer Type is a laptop - Prefix would be CC-LT<ID Code> - computer GPO's
applied that are relative to a laptop (Offline sync of folders, etc),
wireless configurations, etc)
Computer Type is a Stationary Workstation - CC-WS<ID Code> - computer GPO's
applied that are relative to a Workstation Configuration.
Right now we have Admins Creating OUs to house and Linking GPO's based on
different workstation types, installed OS, etc. So we have a number of OUs
and GPOs. On top of that we have to delegate the ability to allow a large
group of people to administer computer object creation based on OU.
I realize that every workstation will have to process the GPO's linked to
the OU, that Windows 2000 host can't use WMI filtering so will process all
the GPOs no matter what, that I can use security group filtering and a
single OU, etc.
I basically want to see if it is possible and feasible to create a single
process that allows a data administrator to go to a single location and
request an computer object be created and delegated so that they can join
rename, and remove it from the domain. The computer-prefix to a
(pre-determine number of classifications) they choose will be the
determining factor what unique GPO's get applied to it, while standard GPO
are applied to all computer objects.
Thanks,
_____
From: Darren Mar-Elia [mailto:xxxxxxxxxxxxxxxx]
Sent: Thursday, February 05, 2009 9:40 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI filter to apply
GPO's based on a Computer Name classification.
Todd-
Its hard to know exactly what's going on from that description. What is the
ultimate goal? You mention size of GPOs but from a replication perspective,
GPOs only replicate changes when something changes in the GPO, so the amount
of data replicating across DC should be fairly minimal. If the goal is to
reduce the size of the GPOs - i.e. break them up into smaller, more targeted
GPOs, then that is certainly do-able but I'm not clear how granular you need
to get. When you start talking about filtering GPOs using WMI filters for
individual computers, I start to get worried that you're getting too
granular. Or am I missing something?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E]
Sent: Thursday, February 05, 2009 6:02 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Question: Is it possible to use a WMI filter to apply
GPO's based on a Computer Name classification.
Greetings,
I am getting ready to start a domain consolidation project. As part of the
project scope we need to evaluate the OU design in the original domain and
move computer resources to the new hosting domain. As part of the migration
we are asked to evaluate the number of GPOs due to the size each GPO takes
to replicate. The original domain has a number of OU's for workstation
types that have a GPO linked to each one. In other words it is pretty
complex.
Based on my reading and limited exposure I have a working idea that if we
used the computer prefix as a form of classification, and GPO filtering, I
could reduce the number of GPO's that are assigned based on type.
I also feel that by using additional WMI filters I could address the OS and
possibly Hardware differences with the need to create to many
classifications.
The end result would be to host as many Workstation Types in a single OU,
link all the workstation GPO's to the container, and use WMI filtering of
the computer name as the qualifier for applying the GPO.
Do you all think this feasible and practical?
Thanks,
| | | |
| myrickt
Posts:0
| | 02/05/2009 2:14 PM |
| Thanks Todd, (I feel like I am addressing myself)
I am aware of the use of Security Groups as filters. I am just
concerned that adding a step to add the machine to a group would
complicate the process. I am looking to use the Object Name
(specificially a prefix for the computer name) as an alternative
approach.
I am vetting it to this group because I haven't been able to identify
any examples of someone doing this at this time.
Thanks,
Todd(ler)
________________________________
From: Connell, Todd F. [mailto:xxxxxxxxxxxxxxxx]
Sent: Thursday, February 05, 2009 11:23 AM
To: 'xxxxxxxxxxxxxxxx'
Subject: RE: [gptalk] Question: Is it possible to use a WMI filter to
apply GPO's based on a Computer Name classification.
Hi Todd- Also keep in mind you can do filtering by using security groups
which will also work with 2000 and may or may not be easier for you. For
example, put all your laptops in a group called "Laptops", make your
laptop specifc policy, then change the security tab so that the policy
object is read and applied to just the "Laptops" security group, also
remove "authenticated users" from reading and applying as this includes
all users and computers.
Todd
________________________________
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Thursday, February 05, 2009 10:38 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI filter to
apply GPO's based on a Computer Name classification.
Thanks Darren,
Just to be clear, I want to create a limited number of computer name
classifications as prefixes. The GPO would then apply based on the
prefix of the computer name.
Example:
Computer Type is a laptop - Prefix would be CC-LT<ID Code> - computer
GPO's applied that are relative to a laptop (Offline sync of folders,
etc), wireless configurations, etc)
Computer Type is a Stationary Workstation - CC-WS<ID Code> - computer
GPO's applied that are relative to a Workstation Configuration.
Right now we have Admins Creating OUs to house and Linking GPO's based
on different workstation types, installed OS, etc. So we have a number
of OUs and GPOs. On top of that we have to delegate the ability to
allow a large group of people to administer computer object creation
based on OU.
I realize that every workstation will have to process the GPO's linked
to the OU, that Windows 2000 host can't use WMI filtering so will
process all the GPOs no matter what, that I can use security group
filtering and a single OU, etc.
I basically want to see if it is possible and feasible to create a
single process that allows a data administrator to go to a single
location and request an computer object be created and delegated so that
they can join rename, and remove it from the domain. The
computer-prefix to a (pre-determine number of classifications) they
choose will be the determining factor what unique GPO's get applied to
it, while standard GPO are applied to all computer objects.
Thanks,
________________________________
From: Darren Mar-Elia [mailto:xxxxxxxxxxxxxxxx]
Sent: Thursday, February 05, 2009 9:40 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI filter to
apply GPO's based on a Computer Name classification.
Todd-
Its hard to know exactly what's going on from that description. What is
the ultimate goal? You mention size of GPOs but from a replication
perspective, GPOs only replicate changes when something changes in the
GPO, so the amount of data replicating across DC should be fairly
minimal. If the goal is to reduce the size of the GPOs - i.e. break them
up into smaller, more targeted GPOs, then that is certainly do-able but
I'm not clear how granular you need to get. When you start talking about
filtering GPOs using WMI filters for individual computers, I start to
get worried that you're getting too granular. Or am I missing something?
Darren
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Thursday, February 05, 2009 6:02 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Question: Is it possible to use a WMI filter to apply
GPO's based on a Computer Name classification.
Greetings,
I am getting ready to start a domain consolidation project. As part of
the project scope we need to evaluate the OU design in the original
domain and move computer resources to the new hosting domain. As part
of the migration we are asked to evaluate the number of GPOs due to the
size each GPO takes to replicate. The original domain has a number of
OU's for workstation types that have a GPO linked to each one. In
other words it is pretty complex.
Based on my reading and limited exposure I have a working idea that if
we used the computer prefix as a form of classification, and GPO
filtering, I could reduce the number of GPO's that are assigned based on
type.
I also feel that by using additional WMI filters I could address the OS
and possibly Hardware differences with the need to create to many
classifications.
The end result would be to host as many Workstation Types in a single
OU, link all the workstation GPO's to the container, and use WMI
filtering of the computer name as the qualifier for applying the GPO.
Do you all think this feasible and practical?
Thanks,
________________________________
*NOTICE: This e-mail message is for the sole use of the intended
recipient(s) and may contain certain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by e-mail and delete all copies of the original message. -
Copyright (c) 2009 Levittown Public Schools - All rights reserved.
| | | |
| dougdelaney
Posts:43
| | 02/05/2009 2:26 PM |
| Hi Todd,
What we did in a case like this was to create a high level OU (OS
groups) and we created a service ID that was delegated the rights to
manage all group memberships in this OU. That service ID executes a
scheduled task that runs an ADSI script that reads properties of the AD
object, such as OS version and populates the groups accordingly. In our
case, that task executes 6 times per day, and ignores servers. We then
filter the relevant GPOs on those OS groups. The same approach could be
taken for computer names. We found that WMI filters take too long to
evaluate to false, negatively impacting the masses.
Doug Delaney
Infrastructure Specialist - Integration Engineering-GM
EDS, an HP company
GM Desktop Engineering
985 W. Entrance Dr. 2150
Auburn Hills, MI 48326
Lab: +1 248-365-9187
Tel: +1 248 754-7917
Pg: +1 248 870-0306
Mobile: +1 248 210-4973
E-mail: xxxxxxxxxxxxxxxx <mailto xxxxxxxxxxxxxxxx>
We deliver on our commitments
so you can deliver on yours.
________________________________
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Thursday, February 05, 2009 2:08 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI
filter to apply GPO's based on a Computer Name classification.
Thanks Todd, (I feel like I am addressing myself)
I am aware of the use of Security Groups as filters. I am just
concerned that adding a step to add the machine to a group would
complicate the process. I am looking to use the Object Name
(specificially a prefix for the computer name) as an alternative
approach.
I am vetting it to this group because I haven't been able to
identify any examples of someone doing this at this time.
Thanks,
Todd(ler)
________________________________
From: Connell, Todd F. [mailto:xxxxxxxxxxxxxxxx]
Sent: Thursday, February 05, 2009 11:23 AM
To: 'xxxxxxxxxxxxxxxx'
Subject: RE: [gptalk] Question: Is it possible to use a WMI
filter to apply GPO's based on a Computer Name classification.
Hi Todd- Also keep in mind you can do filtering by using
security groups which will also work with 2000 and may or may not be
easier for you. For example, put all your laptops in a group called
"Laptops", make your laptop specifc policy, then change the security tab
so that the policy object is read and applied to just the "Laptops"
security group, also remove "authenticated users" from reading and
applying as this includes all users and computers.
Todd
________________________________
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Thursday, February 05, 2009 10:38 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI
filter to apply GPO's based on a Computer Name classification.
Thanks Darren,
Just to be clear, I want to create a limited number of computer
name classifications as prefixes. The GPO would then apply based on the
prefix of the computer name.
Example:
Computer Type is a laptop - Prefix would be CC-LT<ID Code> -
computer GPO's applied that are relative to a laptop (Offline sync of
folders, etc), wireless configurations, etc)
Computer Type is a Stationary Workstation - CC-WS<ID Code> -
computer GPO's applied that are relative to a Workstation Configuration.
Right now we have Admins Creating OUs to house and Linking GPO's
based on different workstation types, installed OS, etc. So we have a
number of OUs and GPOs. On top of that we have to delegate the ability
to allow a large group of people to administer computer object creation
based on OU.
I realize that every workstation will have to process the GPO's
linked to the OU, that Windows 2000 host can't use WMI filtering so will
process all the GPOs no matter what, that I can use security group
filtering and a single OU, etc.
I basically want to see if it is possible and feasible to create
a single process that allows a data administrator to go to a single
location and request an computer object be created and delegated so that
they can join rename, and remove it from the domain. The
computer-prefix to a (pre-determine number of classifications) they
choose will be the determining factor what unique GPO's get applied to
it, while standard GPO are applied to all computer objects.
Thanks,
________________________________
From: Darren Mar-Elia [mailto:xxxxxxxxxxxxxxxx]
Sent: Thursday, February 05, 2009 9:40 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI
filter to apply GPO's based on a Computer Name classification.
Todd-
Its hard to know exactly what's going on from that description.
What is the ultimate goal? You mention size of GPOs but from a
replication perspective, GPOs only replicate changes when something
changes in the GPO, so the amount of data replicating across DC should
be fairly minimal. If the goal is to reduce the size of the GPOs - i.e.
break them up into smaller, more targeted GPOs, then that is certainly
do-able but I'm not clear how granular you need to get. When you start
talking about filtering GPOs using WMI filters for individual computers,
I start to get worried that you're getting too granular. Or am I missing
something?
Darren
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Thursday, February 05, 2009 6:02 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Question: Is it possible to use a WMI filter
to apply GPO's based on a Computer Name classification.
Greetings,
I am getting ready to start a domain consolidation project. As
part of the project scope we need to evaluate the OU design in the
original domain and move computer resources to the new hosting domain.
As part of the migration we are asked to evaluate the number of GPOs due
to the size each GPO takes to replicate. The original domain has a
number of OU's for workstation types that have a GPO linked to each one.
In other words it is pretty complex.
Based on my reading and limited exposure I have a working idea
that if we used the computer prefix as a form of classification, and GPO
filtering, I could reduce the number of GPO's that are assigned based on
type.
I also feel that by using additional WMI filters I could address
the OS and possibly Hardware differences with the need to create to many
classifications.
The end result would be to host as many Workstation Types in a
single OU, link all the workstation GPO's to the container, and use WMI
filtering of the computer name as the qualifier for applying the GPO.
Do you all think this feasible and practical?
Thanks,
________________________________
*NOTICE: This e-mail message is for the sole use of the intended
recipient(s) and may contain certain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by e-mail and delete all copies of the original message. -
Copyright (c) 2009 Levittown Public Schools - All rights reserved.
| | | |
| myrickt
Posts:0
| | 02/05/2009 2:41 PM |
| Understood,
So GPO security filtering due to the overhead of WMI processing,
specifically you partitioned based on OS Type.
Thanks,
Todd Myrick
________________________________
From: Delaney, Doug [mailto:xxxxxxxxxxxxxxxx]
Sent: Thursday, February 05, 2009 2:19 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI filter to
apply GPO's based on a Computer Name classification.
Hi Todd,
What we did in a case like this was to create a high level OU (OS
groups) and we created a service ID that was delegated the rights to
manage all group memberships in this OU. That service ID executes a
scheduled task that runs an ADSI script that reads properties of the AD
object, such as OS version and populates the groups accordingly. In our
case, that task executes 6 times per day, and ignores servers. We then
filter the relevant GPOs on those OS groups. The same approach could be
taken for computer names. We found that WMI filters take too long to
evaluate to false, negatively impacting the masses.
Doug Delaney
Infrastructure Specialist - Integration Engineering-GM
EDS, an HP company
GM Desktop Engineering
985 W. Entrance Dr. 2150
Auburn Hills, MI 48326
Lab: +1 248-365-9187
Tel: +1 248 754-7917
Pg: +1 248 870-0306
Mobile: +1 248 210-4973
E-mail: xxxxxxxxxxxxxxxx <mailtoxxxxxxxxxxxxxxxx>
We deliver on our commitments
so you can deliver on yours.
________________________________
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Thursday, February 05, 2009 2:08 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI
filter to apply GPO's based on a Computer Name classification.
Thanks Todd, (I feel like I am addressing myself)
I am aware of the use of Security Groups as filters. I am just
concerned that adding a step to add the machine to a group would
complicate the process. I am looking to use the Object Name
(specificially a prefix for the computer name) as an alternative
approach.
I am vetting it to this group because I haven't been able to
identify any examples of someone doing this at this time.
Thanks,
Todd(ler)
________________________________
From: Connell, Todd F. [mailto:xxxxxxxxxxxxxxxx]
Sent: Thursday, February 05, 2009 11:23 AM
To: 'xxxxxxxxxxxxxxxx'
Subject: RE: [gptalk] Question: Is it possible to use a WMI
filter to apply GPO's based on a Computer Name classification.
Hi Todd- Also keep in mind you can do filtering by using
security groups which will also work with 2000 and may or may not be
easier for you. For example, put all your laptops in a group called
"Laptops", make your laptop specifc policy, then change the security tab
so that the policy object is read and applied to just the "Laptops"
security group, also remove "authenticated users" from reading and
applying as this includes all users and computers.
Todd
________________________________
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Thursday, February 05, 2009 10:38 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI
filter to apply GPO's based on a Computer Name classification.
Thanks Darren,
Just to be clear, I want to create a limited number of computer
name classifications as prefixes. The GPO would then apply based on the
prefix of the computer name.
Example:
Computer Type is a laptop - Prefix would be CC-LT<ID Code> -
computer GPO's applied that are relative to a laptop (Offline sync of
folders, etc), wireless configurations, etc)
Computer Type is a Stationary Workstation - CC-WS<ID Code> -
computer GPO's applied that are relative to a Workstation Configuration.
Right now we have Admins Creating OUs to house and Linking GPO's
based on different workstation types, installed OS, etc. So we have a
number of OUs and GPOs. On top of that we have to delegate the ability
to allow a large group of people to administer computer object creation
based on OU.
I realize that every workstation will have to process the GPO's
linked to the OU, that Windows 2000 host can't use WMI filtering so will
process all the GPOs no matter what, that I can use security group
filtering and a single OU, etc.
I basically want to see if it is possible and feasible to create
a single process that allows a data administrator to go to a single
location and request an computer object be created and delegated so that
they can join rename, and remove it from the domain. The
computer-prefix to a (pre-determine number of classifications) they
choose will be the determining factor what unique GPO's get applied to
it, while standard GPO are applied to all computer objects.
Thanks,
________________________________
From: Darren Mar-Elia [mailto:xxxxxxxxxxxxxxxx]
Sent: Thursday, February 05, 2009 9:40 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI
filter to apply GPO's based on a Computer Name classification.
Todd-
Its hard to know exactly what's going on from that description.
What is the ultimate goal? You mention size of GPOs but from a
replication perspective, GPOs only replicate changes when something
changes in the GPO, so the amount of data replicating across DC should
be fairly minimal. If the goal is to reduce the size of the GPOs - i.e.
break them up into smaller, more targeted GPOs, then that is certainly
do-able but I'm not clear how granular you need to get. When you start
talking about filtering GPOs using WMI filters for individual computers,
I start to get worried that you're getting too granular. Or am I missing
something?
Darren
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Myrick, Todd
(NIH/CC/DCRI) [E]
Sent: Thursday, February 05, 2009 6:02 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Question: Is it possible to use a WMI filter
to apply GPO's based on a Computer Name classification.
Greetings,
I am getting ready to start a domain consolidation project. As
part of the project scope we need to evaluate the OU design in the
original domain and move computer resources to the new hosting domain.
As part of the migration we are asked to evaluate the number of GPOs due
to the size each GPO takes to replicate. The original domain has a
number of OU's for workstation types that have a GPO linked to each one.
In other words it is pretty complex.
Based on my reading and limited exposure I have a working idea
that if we used the computer prefix as a form of classification, and GPO
filtering, I could reduce the number of GPO's that are assigned based on
type.
I also feel that by using additional WMI filters I could address
the OS and possibly Hardware differences with the need to create to many
classifications.
The end result would be to host as many Workstation Types in a
single OU, link all the workstation GPO's to the container, and use WMI
filtering of the computer name as the qualifier for applying the GPO.
Do you all think this feasible and practical?
Thanks,
________________________________
*NOTICE: This e-mail message is for the sole use of the intended
recipient(s) and may contain certain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by e-mail and delete all copies of the original message. -
Copyright (c) 2009 Levittown Public Schools - All rights reserved.
| | | |
| Syspro
Posts:0
| | 02/05/2009 2:55 PM |
| Hi Todd,
I like Doug's idea. It may be a bit of an overhead to set up but it is nice
and flexible.
I would tend towards using Security filtering rather than WMI filtering
because it is quicker and more transparent. You can look at a group and see
who is in it. If you are using WMI filtering you are not really sure which
machines are matching the filter. While having a naming convention which
helps in identifying the machine type, using the AD Object properties is
more reliable and more flexible, especially if an additional requirement
comes up in the future
Alan Cuthbertson
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Delaney, Doug
Sent: Friday, 6 February 2009 6:20 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI filter to apply
GPO's based on a Computer Name classification.
Hi Todd,
What we did in a case like this was to create a high level OU (OS groups)
and we created a service ID that was delegated the rights to manage all
group memberships in this OU. That service ID executes a scheduled task
that runs an ADSI script that reads properties of the AD object, such as OS
version and populates the groups accordingly. In our case, that task
executes 6 times per day, and ignores servers. We then filter the relevant
GPOs on those OS groups. The same approach could be taken for computer
names. We found that WMI filters take too long to evaluate to false,
negatively impacting the masses.
Doug Delaney
Infrastructure Specialist - Integration Engineering-GM
EDS, an HP company
GM Desktop Engineering
985 W. Entrance Dr. 2150
Auburn Hills, MI 48326
Lab: +1 248-365-9187
Tel: +1 248 754-7917
Pg: +1 248 870-0306
Mobile: +1 248 210-4973
E-mail: <mailtoxxxxxxxxxxxxxxxx> xxxxxxxxxxxxxxxx
We deliver on our commitments
so you can deliver on yours.
_____
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E]
Sent: Thursday, February 05, 2009 2:08 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI filter to apply
GPO's based on a Computer Name classification.
Thanks Todd, (I feel like I am addressing myself)
I am aware of the use of Security Groups as filters. I am just concerned
that adding a step to add the machine to a group would complicate the
process. I am looking to use the Object Name (specificially a prefix for
the computer name) as an alternative approach.
I am vetting it to this group because I haven't been able to identify any
examples of someone doing this at this time.
Thanks,
Todd(ler)
_____
From: Connell, Todd F. [mailto:xxxxxxxxxxxxxxxx]
Sent: Thursday, February 05, 2009 11:23 AM
To: 'xxxxxxxxxxxxxxxx'
Subject: RE: [gptalk] Question: Is it possible to use a WMI filter to apply
GPO's based on a Computer Name classification.
Hi Todd- Also keep in mind you can do filtering by using security groups
which will also work with 2000 and may or may not be easier for you. For
example, put all your laptops in a group called "Laptops", make your laptop
specifc policy, then change the security tab so that the policy object is
read and applied to just the "Laptops" security group, also remove
"authenticated users" from reading and applying as this includes all users
and computers.
Todd
_____
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E]
Sent: Thursday, February 05, 2009 10:38 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI filter to apply
GPO's based on a Computer Name classification.
Thanks Darren,
Just to be clear, I want to create a limited number of computer name
classifications as prefixes. The GPO would then apply based on the prefix
of the computer name.
Example:
Computer Type is a laptop - Prefix would be CC-LT<ID Code> - computer GPO's
applied that are relative to a laptop (Offline sync of folders, etc),
wireless configurations, etc)
Computer Type is a Stationary Workstation - CC-WS<ID Code> - computer GPO's
applied that are relative to a Workstation Configuration.
Right now we have Admins Creating OUs to house and Linking GPO's based on
different workstation types, installed OS, etc. So we have a number of OUs
and GPOs. On top of that we have to delegate the ability to allow a large
group of people to administer computer object creation based on OU.
I realize that every workstation will have to process the GPO's linked to
the OU, that Windows 2000 host can't use WMI filtering so will process all
the GPOs no matter what, that I can use security group filtering and a
single OU, etc.
I basically want to see if it is possible and feasible to create a single
process that allows a data administrator to go to a single location and
request an computer object be created and delegated so that they can join
rename, and remove it from the domain. The computer-prefix to a
(pre-determine number of classifications) they choose will be the
determining factor what unique GPO's get applied to it, while standard GPO
are applied to all computer objects.
Thanks,
_____
From: Darren Mar-Elia [mailto:xxxxxxxxxxxxxxxx]
Sent: Thursday, February 05, 2009 9:40 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI filter to apply
GPO's based on a Computer Name classification.
Todd-
Its hard to know exactly what's going on from that description. What is the
ultimate goal? You mention size of GPOs but from a replication perspective,
GPOs only replicate changes when something changes in the GPO, so the amount
of data replicating across DC should be fairly minimal. If the goal is to
reduce the size of the GPOs - i.e. break them up into smaller, more targeted
GPOs, then that is certainly do-able but I'm not clear how granular you need
to get. When you start talking about filtering GPOs using WMI filters for
individual computers, I start to get worried that you're getting too
granular. Or am I missing something?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E]
Sent: Thursday, February 05, 2009 6:02 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Question: Is it possible to use a WMI filter to apply
GPO's based on a Computer Name classification.
Greetings,
I am getting ready to start a domain consolidation project. As part of the
project scope we need to evaluate the OU design in the original domain and
move computer resources to the new hosting domain. As part of the migration
we are asked to evaluate the number of GPOs due to the size each GPO takes
to replicate. The original domain has a number of OU's for workstation
types that have a GPO linked to each one. In other words it is pretty
complex.
Based on my reading and limited exposure I have a working idea that if we
used the computer prefix as a form of classification, and GPO filtering, I
could reduce the number of GPO's that are assigned based on type.
I also feel that by using additional WMI filters I could address the OS and
possibly Hardware differences with the need to create to many
classifications.
The end result would be to host as many Workstation Types in a single OU,
link all the workstation GPO's to the container, and use WMI filtering of
the computer name as the qualifier for applying the GPO.
Do you all think this feasible and practical?
Thanks,
_____
*NOTICE: This e-mail message is for the sole use of the intended
recipient(s) and may contain certain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the sender
by e-mail and delete all copies of the original message. - Copyright C 2009
Levittown Public Schools - All rights reserved.
| | | |
| Darren
Posts:103
| | 02/05/2009 3:01 PM |
| I would agree here that WMI filters *can* be expensive for certain types of
queries, and that it ends up depending upon your specific requirements. The
process that Doug outlined gets around having to manually worry about
managing group memberships but it does have downsides-computers don't update
their group membership token until the Kerberos ticket expires (7 days by
default) or the machine is rebooted. So this process of using groups is not
instantaneous, but I would definitely say that if you are going to use
groups to filter hardware/software criteria, that you put in some kind of
automated process to manage those memberships dynamically or you will
quickly find group memberships get out of sync.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E]
Sent: Thursday, February 05, 2009 11:37 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI filter to apply
GPO's based on a Computer Name classification.
Understood,
So GPO security filtering due to the overhead of WMI processing,
specifically you partitioned based on OS Type.
Thanks,
Todd Myrick
_____
From: Delaney, Doug [mailto:xxxxxxxxxxxxxxxx]
Sent: Thursday, February 05, 2009 2:19 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI filter to apply
GPO's based on a Computer Name classification.
Hi Todd,
What we did in a case like this was to create a high level OU (OS groups)
and we created a service ID that was delegated the rights to manage all
group memberships in this OU. That service ID executes a scheduled task
that runs an ADSI script that reads properties of the AD object, such as OS
version and populates the groups accordingly. In our case, that task
executes 6 times per day, and ignores servers. We then filter the relevant
GPOs on those OS groups. The same approach could be taken for computer
names. We found that WMI filters take too long to evaluate to false,
negatively impacting the masses.
Doug Delaney
Infrastructure Specialist - Integration Engineering-GM
EDS, an HP company
GM Desktop Engineering
985 W. Entrance Dr. 2150
Auburn Hills, MI 48326
Lab: +1 248-365-9187
Tel: +1 248 754-7917
Pg: +1 248 870-0306
Mobile: +1 248 210-4973
E-mail: <mailtoxxxxxxxxxxxxxxxx> xxxxxxxxxxxxxxxx
We deliver on our commitments
so you can deliver on yours.
_____
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E]
Sent: Thursday, February 05, 2009 2:08 PM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI filter to apply
GPO's based on a Computer Name classification.
Thanks Todd, (I feel like I am addressing myself)
I am aware of the use of Security Groups as filters. I am just concerned
that adding a step to add the machine to a group would complicate the
process. I am looking to use the Object Name (specificially a prefix for
the computer name) as an alternative approach.
I am vetting it to this group because I haven't been able to identify any
examples of someone doing this at this time.
Thanks,
Todd(ler)
_____
From: Connell, Todd F. [mailto:xxxxxxxxxxxxxxxx]
Sent: Thursday, February 05, 2009 11:23 AM
To: 'xxxxxxxxxxxxxxxx'
Subject: RE: [gptalk] Question: Is it possible to use a WMI filter to apply
GPO's based on a Computer Name classification.
Hi Todd- Also keep in mind you can do filtering by using security groups
which will also work with 2000 and may or may not be easier for you. For
example, put all your laptops in a group called "Laptops", make your laptop
specifc policy, then change the security tab so that the policy object is
read and applied to just the "Laptops" security group, also remove
"authenticated users" from reading and applying as this includes all users
and computers.
Todd
_____
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E]
Sent: Thursday, February 05, 2009 10:38 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI filter to apply
GPO's based on a Computer Name classification.
Thanks Darren,
Just to be clear, I want to create a limited number of computer name
classifications as prefixes. The GPO would then apply based on the prefix
of the computer name.
Example:
Computer Type is a laptop - Prefix would be CC-LT<ID Code> - computer GPO's
applied that are relative to a laptop (Offline sync of folders, etc),
wireless configurations, etc)
Computer Type is a Stationary Workstation - CC-WS<ID Code> - computer GPO's
applied that are relative to a Workstation Configuration.
Right now we have Admins Creating OUs to house and Linking GPO's based on
different workstation types, installed OS, etc. So we have a number of OUs
and GPOs. On top of that we have to delegate the ability to allow a large
group of people to administer computer object creation based on OU.
I realize that every workstation will have to process the GPO's linked to
the OU, that Windows 2000 host can't use WMI filtering so will process all
the GPOs no matter what, that I can use security group filtering and a
single OU, etc.
I basically want to see if it is possible and feasible to create a single
process that allows a data administrator to go to a single location and
request an computer object be created and delegated so that they can join
rename, and remove it from the domain. The computer-prefix to a
(pre-determine number of classifications) they choose will be the
determining factor what unique GPO's get applied to it, while standard GPO
are applied to all computer objects.
Thanks,
_____
From: Darren Mar-Elia [mailto:xxxxxxxxxxxxxxxx]
Sent: Thursday, February 05, 2009 9:40 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI filter to apply
GPO's based on a Computer Name classification.
Todd-
Its hard to know exactly what's going on from that description. What is the
ultimate goal? You mention size of GPOs but from a replication perspective,
GPOs only replicate changes when something changes in the GPO, so the amount
of data replicating across DC should be fairly minimal. If the goal is to
reduce the size of the GPOs - i.e. break them up into smaller, more targeted
GPOs, then that is certainly do-able but I'm not clear how granular you need
to get. When you start talking about filtering GPOs using WMI filters for
individual computers, I start to get worried that you're getting too
granular. Or am I missing something?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E]
Sent: Thursday, February 05, 2009 6:02 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Question: Is it possible to use a WMI filter to apply
GPO's based on a Computer Name classification.
Greetings,
I am getting ready to start a domain consolidation project. As part of the
project scope we need to evaluate the OU design in the original domain and
move computer resources to the new hosting domain. As part of the migration
we are asked to evaluate the number of GPOs due to the size each GPO takes
to replicate. The original domain has a number of OU's for workstation
types that have a GPO linked to each one. In other words it is pretty
complex.
Based on my reading and limited exposure I have a working idea that if we
used the computer prefix as a form of classification, and GPO filtering, I
could reduce the number of GPO's that are assigned based on type.
I also feel that by using additional WMI filters I could address the OS and
possibly Hardware differences with the need to create to many
classifications.
The end result would be to host as many Workstation Types in a single OU,
link all the workstation GPO's to the container, and use WMI filtering of
the computer name as the qualifier for applying the GPO.
Do you all think this feasible and practical?
Thanks,
_____
*NOTICE: This e-mail message is for the sole use of the intended
recipient(s) and may contain certain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the sender
by e-mail and delete all copies of the original message. - Copyright C 2009
Levittown Public Schools - All rights reserved.
| | | |
|
|