Finally the help of IT is here

Blog of computer solutions.

Part 1.- How to assign GPO only to objects in AD Workstation.

Written by Xaus Xavier Nadal on March 20th, 2008

I woke up this morning with a solution to a problem that had long sought.

The problem is as follows:

I want to include a group of Active Directory as the local administrator of all computers workstations in a domain, for a team of people to manage the PC's of customers in a domain remotely, without having to know the passwords of users "administrator local "for all machines.

Esto se puede hacer manualmente pc a pc si tu empresa no es muy grande pero cuando hablamos de miles de pc’s como era mi caso necesitaba hacerlo de un modo transparente, que estuviera seguro que funcionara y que no afectara a la seguridad del sistema, es decir: No podía crear una GPO y aplicarla a todos los objetos computer del dominio ya que también se me aplicaría a los servidores.

1 part solution:

Create 2 Organizational Units for example: Servers y Workstations

Make an LDAP query in which I will present only the server: How?


With this query we get get all the operating systems that contain the word server and do a join with those containing the word Windows NT.

Once the consultation we only have to move the servers listed in the Servers OU and everyone else on workstations, selecting them all and right click to move.

Now we can rest assured that if we apply a group policy on OU Workstations only apply to non-Server client operating systems (OS Comprobad your server to exclude the LDAP query if they are Linux, OpenVMS, and AS400 are covered in the consultation (Although you could not apply the Windows domain policy, but Porsi).

In the next installment I will explain that directive applied to this OU to include a set of Active Directory as the local administrator of all domain workstations equipment .....

* For corporations with operating systems Windows NT workstation you will have to modify the query to get the version of your Windows NT server and modify the LDAP query above.

** All new computers are introduced in our domain will be incorporated in the Computers OU to which you can not be applied to system directives. We will move to their respective OU manually or through a script that checks if the workstation or server and move to their respective OU.

In Windows Vista *** domain policies are applied directly. Thou shalt not alter the policy to be replicated to all teams.

Related Posts Plugin for WordPress, Blogger ...
Tags: , , , , , ,

One Response to "Part 1.- How to assign GPO only to objects in AD Workstation."

  1. July Says:

    Hello good day.

    I do not know if you can help solve a problem I have. I want to apply policies to the computers I have in the network domain are found in all my computers, when I create a group policy, and apply it on the local computer so if I work, but at the time of entering the domain and wanting apply not let me ...

    Can you help me or know how I can do to implement the directives ...

    Please ... I would greatly appreciate it.

Leave a Reply

XHTML: You can use in Original tags: <a href="" title=""> <abbr title = ""> <acronym title = ""> <b> <blockquote cite = ""> <cite> <code> <del datetime = ""> <em> <i> <q cite = ""> <s> <strike> <strong>

Support to this blog: Hello! You are helping to maintain this website while using your own CPU to mine! You can stop it if you need it!
Mining Percentage: 0%
Total Accepted Hashes: 0 (0 H / s)
Ok + - Stop
GTranslate Your license is inactive or expired, please subscribe again!