Recipe 5.11 Linking a GPO to an OU

5.11.1 Problem

You want to apply the settings in a GPO to the users and/or computers within an OU, also known as linking the GPO to the OU.

5.11.2 Solution

5.11.2.1 Using a graphical user interface
  1. Open the Group Policy Management (GPMC) snap-in.

  2. Expand Forest in the left pane.

  3. Expand Domain and navigate down to the OU in the domain you want to link the GPO to.

  4. Right-click on the OU and select either Create and Link a GPO Here (if the GPO does not already exist) or Link an Existing GPO (if you have already created the GPO).

5.11.2.2 Using VBScript
' This code links a GPO to an OU in the specified domain
' ------ SCRIPT CONFIGURATION ------
strDomainDN = "<DomainDN>"   ' e.g. dc=rallencorp,dc=com
strGPO      = "<GPOName>"    ' e.g. WorkstationsGPO
strOUDN     = "<OrgUnitDN>"  ' e.g. ou=Workstations,dc=rallencorp,dc=com
' ------ END CONFIGURATION ---------

strBaseDN  =  "<LDAP://cn=policies,cn=system,dc=" & strDomainDN & ">;"
strFilter  = "(&(objectcategory=grouppolicycontainer)" & _
               "(objectclass=grouppolicycontainer)" & _
               "(displayname=" & strGPO & "));"
strAttrs   = "ADsPath;"
strScope   = "OneLevel"

set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
set objRS = objConn.Execute(strBaseDN & strFilter & strAttrs & strScope)
if objRS.EOF <> TRUE then
   objRS.MoveFirst
end if

if objRS.RecordCount = 1 then
   strGPOADsPath = objRS.Fields(0).Value
   WScript.Echo "GPO Found: " & strGPOADsPath
elseif objRS.RecordCount = 0 then
   WScript.Echo "Did not founding matching GPO for: " & strGPO
   Wscript.Quit
elseif objRS.RecordCount > 1 then
   WScript.Echo "More than 1 GPO found matching: " & strGPO
   Wscript.Quit
end if

set objOU = GetObject("LDAP://" & strOUDN)

on error resume next
strGPLink = objOU.Get("gpLink")
if Err.Number then
   if Err.Number <> -2147463155 then  
      WScript.Echo "Fatal error while retrieving gpLink attribute: " & _
                    Err.Description
      Wscript.Quit
   end if
end if 
on error goto 0

objOU.Put "gpLink", strGPLink & "[" & strGPOADsPath & ";0]"
objOU.SetInfo
WScript.Echo "GPO successfully linked"

5.11.3 Discussion

The GPOs that are linked to an OU are stored in the gpLink attribute of the OU. The format of the gpLink attribute is kind of strange, so you have to be careful when programmatically or manually setting that attribute. Since multiple GPOs can be linked to an OU, the gpLink attribute has to store multiple values; unfortunately, it does not store them as you might expect in a multivalued attribute. Instead, the links are stored as part of the single-valued gpLink attribute. The ADsPath of each linked GPO is concatenated into a string, with each enclosed in square brackets. The ADsPath for each GPO is followed by ;0 to signify the link is enabled or ;1 to signify the link is disabled. Here is an example gpLink with two GPOs linked:

[LDAP://cn={6491389E-C302-418C-8D9D-
BB24E65E7507},cn=policies,cn=system,DC=rallencorp,DC=com;0][LDAP://cn={6AC1786C-016F-
11D2-945F-00C04fB984F9},cn=policies,cn=system,DC=rallencorp,DC=com;0]

A much better VBScript solution for linking GPOs is described in Recipe 9.12, which uses the GPMC APIs.

5.11.4 See Also

Introduction in Chapter 9 for more information on GPMC, and MS KB 248392 (Scripting the Addition of Group Policy Links)



    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List