Recipe 5.11 Linking a GPO to an OU

5.11.1 Problem

You want to apply the settings in a GPO to the users and/or computers within an OU, also known as linking the GPO to the OU.

5.11.2 Solution Using a graphical user interface
  1. Open the Group Policy Management (GPMC) snap-in.

  2. Expand Forest in the left pane.

  3. Expand Domain and navigate down to the OU in the domain you want to link the GPO to.

  4. Right-click on the OU and select either Create and Link a GPO Here (if the GPO does not already exist) or Link an Existing GPO (if you have already created the GPO). Using VBScript
' This code links a GPO to an OU in the specified domain ' ------ SCRIPT CONFIGURATION ------ strDomainDN = "<DomainDN>"   ' e.g. dc=rallencorp,dc=com strGPO      = "<GPOName>"    ' e.g. WorkstationsGPO strOUDN     = "<OrgUnitDN>"  ' e.g. ou=Workstations,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- strBaseDN  =  "<LDAP://cn=policies,cn=system,dc=" & strDomainDN & ">;" strFilter  = "(&(objectcategory=grouppolicycontainer)" & _                "(objectclass=grouppolicycontainer)" & _                "(displayname=" & strGPO & "));" strAttrs   = "ADsPath;" strScope   = "OneLevel" set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider" set objRS = objConn.Execute(strBaseDN & strFilter & strAttrs & strScope) if objRS.EOF <> TRUE then    objRS.MoveFirst end if if objRS.RecordCount = 1 then    strGPOADsPath = objRS.Fields(0).Value    WScript.Echo "GPO Found: " & strGPOADsPath elseif objRS.RecordCount = 0 then    WScript.Echo "Did not founding matching GPO for: " & strGPO    Wscript.Quit elseif objRS.RecordCount > 1 then    WScript.Echo "More than 1 GPO found matching: " & strGPO    Wscript.Quit end if set objOU = GetObject("LDAP://" & strOUDN) on error resume next strGPLink = objOU.Get("gpLink") if Err.Number then    if Err.Number <> -2147463155 then         WScript.Echo "Fatal error while retrieving gpLink attribute: " & _                     Err.Description       Wscript.Quit    end if end if  on error goto 0 objOU.Put "gpLink", strGPLink & "[" & strGPOADsPath & ";0]" objOU.SetInfo WScript.Echo "GPO successfully linked"

5.11.3 Discussion

The GPOs that are linked to an OU are stored in the gpLink attribute of the OU. The format of the gpLink attribute is kind of strange, so you have to be careful when programmatically or manually setting that attribute. Since multiple GPOs can be linked to an OU, the gpLink attribute has to store multiple values; unfortunately, it does not store them as you might expect in a multivalued attribute. Instead, the links are stored as part of the single-valued gpLink attribute. The ADsPath of each linked GPO is concatenated into a string, with each enclosed in square brackets. The ADsPath for each GPO is followed by ;0 to signify the link is enabled or ;1 to signify the link is disabled. Here is an example gpLink with two GPOs linked:

[LDAP://cn={6491389E-C302-418C-8D9D- BB24E65E7507},cn=policies,cn=system,DC=rallencorp,DC=com;0][LDAP://cn={6AC1786C-016F- 11D2-945F-00C04fB984F9},cn=policies,cn=system,DC=rallencorp,DC=com;0]

A much better VBScript solution for linking GPOs is described in Recipe 9.12, which uses the GPMC APIs.

5.11.4 See Also

Introduction in Chapter 9 for more information on GPMC, and MS KB 248392 (Scripting the Addition of Group Policy Links)

Active Directory Cookbook
Active Directory Cookbook, 3rd Edition
ISBN: 0596521103
EAN: 2147483647
Year: 2006
Pages: 456 © 2008-2017.
If you may any questions please contact us: