Finally the help of IT is here

Blog of computer solutions.

Part 1.- How to assign GPO only to objects in AD Workstation.

Written by Xaus Xavier Nadal on March 20th, 2008

Save pagePDF pageemail pagePrint page

I woke up this morning with a solution to a problem that had long sought.

The problem is as follows:

I want to include a group of Active Directory as the local administrator of all computers workstations in a domain, for a team of people to manage the PC's of customers in a domain remotely, without having to know the passwords of users "administrator local "for all machines.

This can be done manually pc to pc if your company is not very big but when we speak of thousands of pc's as I was required to do so in a transparent way, I was sure it worked and it did not affect the safety of the system, ie : Could not create a GPO and apply to all objects of the domain computer and I also apply to servers.

1 part solution:

Create 2 Organizational Units for example: Servers y Workstations

Make an LDAP query in which I will present only the server: How?


With this query we get get all the operating systems that contain the word server and do a join with those containing the word Windows NT.

Once the consultation we only have to move the servers listed in the Servers OU and everyone else on workstations, selecting them all and right click to move.

Now we can rest assured that if we apply a group policy on OU Workstations only apply to non-Server client operating systems (OS Comprobad your server to exclude the LDAP query if they are Linux, OpenVMS, and AS400 are covered in the consultation (Although you could not apply the Windows domain policy, but Porsi).

In the next installment I will explain that directive applied to this OU to include a set of Active Directory as the local administrator of all domain workstations equipment .....

* For corporations operating systems Windows NT workstation you will have to modify the query to get the version of your Windows NT server and modify the LDAP query above.

** All new computers are introduced in our domain will be incorporated in the Computers OU to which you can not apply policies to be prompt. We will move to their respective OU manually or using a script to check if the workstation or server and move to their respective OU.

In Windows Vista *** domain policies are applied directly. Thou shalt not alter the policy to be replicated to all teams.

Related Posts Plugin for WordPress, Blogger ...
Tags: , , , , , ,

One Response to "Part 1.- How to assign GPO only to objects in AD Workstation."

  1. July Says:

    Hello good day.

    I do not know if you can help solve a problem I have. I want to apply policies to the computers I have in the network domain are found in all my computers, when I create a group policy, and apply it on the local computer so if I work, but at the time of entering the domain and wanting apply not let me ...

    Can you help me or know how I can do to implement the directives ...

    Please ... I would greatly appreciate it.

Leave a Reply

XHTML: You can use in Original tags: <a href="" title=""> <abbr title = ""> <acronym title = ""> <b> <blockquote cite = ""> <cite> <code> <del datetime = ""> <em> <i> <q cite = ""> <s> <strike> <strong>