| Author | Messages | |
tconnell
Posts:16
 | | 02/05/2009 11:38 AM |
| Hi Todd- Also keep in mind you can do filtering by using security groups which will also work with 2000 and may or may not be easier for you. For example, put all your laptops in a group called "Laptops", make your laptop specifc policy, then change the security tab so that the policy object is read and applied to just the "Laptops" security group, also remove "authenticated users" from reading and applying as this includes all users and computers.
Todd
________________________________
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E]
Sent: Thursday, February 05, 2009 10:38 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI filter to apply GPO's based on a Computer Name classification.
Thanks Darren,
Just to be clear, I want to create a limited number of computer name classifications as prefixes. The GPO would then apply based on the prefix of the computer name.
Example:
Computer Type is a laptop - Prefix would be CC-LT<ID Code> - computer GPO's applied that are relative to a laptop (Offline sync of folders, etc), wireless configurations, etc)
Computer Type is a Stationary Workstation - CC-WS<ID Code> - computer GPO's applied that are relative to a Workstation Configuration.
Right now we have Admins Creating OUs to house and Linking GPO's based on different workstation types, installed OS, etc. So we have a number of OUs and GPOs. On top of that we have to delegate the ability to allow a large group of people to administer computer object creation based on OU.
I realize that every workstation will have to process the GPO's linked to the OU, that Windows 2000 host can't use WMI filtering so will process all the GPOs no matter what, that I can use security group filtering and a single OU, etc.
I basically want to see if it is possible and feasible to create a single process that allows a data administrator to go to a single location and request an computer object be created and delegated so that they can join rename, and remove it from the domain. The computer-prefix to a (pre-determine number of classifications) they choose will be the determining factor what unique GPO's get applied to it, while standard GPO are applied to all computer objects.
Thanks,
________________________________
From: Darren Mar-Elia [mailto:xxxxxxxxxxxxxxxx]
Sent: Thursday, February 05, 2009 9:40 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Question: Is it possible to use a WMI filter to apply GPO's based on a Computer Name classification.
Todd-
Its hard to know exactly what's going on from that description. What is the ultimate goal? You mention size of GPOs but from a replication perspective, GPOs only replicate changes when something changes in the GPO, so the amount of data replicating across DC should be fairly minimal. If the goal is to reduce the size of the GPOs - i.e. break them up into smaller, more targeted GPOs, then that is certainly do-able but I'm not clear how granular you need to get. When you start talking about filtering GPOs using WMI filters for individual computers, I start to get worried that you're getting too granular. Or am I missing something?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Myrick, Todd (NIH/CC/DCRI) [E]
Sent: Thursday, February 05, 2009 6:02 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Question: Is it possible to use a WMI filter to apply GPO's based on a Computer Name classification.
Greetings,
I am getting ready to start a domain consolidation project. As part of the project scope we need to evaluate the OU design in the original domain and move computer resources to the new hosting domain. As part of the migration we are asked to evaluate the number of GPOs due to the size each GPO takes to replicate. The original domain has a number of OU's for workstation types that have a GPO linked to each one. In other words it is pretty complex.
Based on my reading and limited exposure I have a working idea that if we used the computer prefix as a form of classification, and GPO filtering, I could reduce the number of GPO's that are assigned based on type.
I also feel that by using additional WMI filters I could address the OS and possibly Hardware differences with the need to create to many classifications.
The end result would be to host as many Workstation Types in a single OU, link all the workstation GPO's to the container, and use WMI filtering of the computer name as the qualifier for applying the GPO.
Do you all think this feasible and practical?
Thanks,
________________________________
*NOTICE: This e-mail message is for the sole use of the intended recipient(s) and may contain certain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by e-mail and delete all copies of the original message. - Copyright (c) 2009 Levittown Public Schools - All rights reserved.
| | | |
|
|