Recipe 9.12 Creating a GPO Link to an OU

9.12.1 Problem

You want to apply the GPO settings to the users and/or computers in an OU. This is called linking a GPO to an OU.

9.12.2 Solution

9.12.2.1 Using a graphical user interface
  1. Open the GPMC snap-in.

  2. In the left pane, expand the Forest container, expand the Domains container, and browse to the target domain.

  3. Right-click on the OU you want to link and Link an Existing GPO.

  4. Select from the list of available GPOs and click OK.

9.12.2.2 Using VBScript
' This code links a GPO to an OU
' ------ SCRIPT CONFIGURATION ------
strGPO     = "<GPOName>"        ' e.g. Sales GPO
strDomain  = "<DomainDNSName>"  ' e.g. rallencorp.com
strOU      = "<OrgUnitDN>"      ' e.g. ou=Sales,dc=rallencorp,dc=com
intLinkPos = -1 ' set this to the position the GPO evaluated at
                ' a value of -1 signifies appending it to the end of the list
' ------ END CONFIGURATION ---------

set objGPM = CreateObject("GPMgmt.GPM")
set objGPMConstants = objGPM.GetConstants( )
  
' Initialize the Domain object
set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC)

' Find the specified GPO
set objGPMSearchCriteria = objGPM.CreateSearchCriteria
objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, 
objGPMConstants.SearchOpEquals, cstr(strGPO)
set objGPOList = objGPMDomain.SearchGPOs(objGPMSearchCriteria)
if objGPOList.Count = 0 then
   WScript.Echo "Did not find GPO: " & strGPO
   WScript.Echo "Exiting."
   WScript.Quit
elseif objGPOList.Count > 1 then
   WScript.Echo "Found more than one matching GPO. Count: " & _
                objGPOList.Count
   WScript.Echo "Exiting."
   WScript.Quit
else
   WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName
end if

' Find the specified OU
set objSOM = objGPMDomain.GetSOM(strOU)
if IsNull(objSOM) then
   WScript.Echo "Did not find OU: " & strOU
   WScript.Echo "Exiting."
   WScript.Quit
else
   WScript.Echo "Found OU: " & objSOM.Name
end if

on error resume next

set objGPMLink = objSOM.CreateGPOLink( intLinkPos, objGPOList.Item(1) )

if Err.Number <> 0 then
   WScript.Echo "There was an error creating the GPO link."
   WScript.Echo "Error: " & Err.Description
else        
   WScript.Echo "Sucessfully linked GPO to OU"
end if

9.12.3 Discussion

Linking a GPO is the process whereby you assign a SOM, which can be an OU, site, or domain. The solutions show how to link a GPO to an OU, but they could be easily modified to link to a site or domain.

See Recipe 5.11 for details on how to link an OU by modifying the gpLink attribute, instead of using the GPMC interface.

9.12.3.1 Using VBScript

To link a GPO, I first have to find the target GPO. I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section. I use an if elseif else conditional statement to ensure that only one GPO is returned. If zero or more than are are returned, I abort the script. If only one GPO was returned, I instantiate a GPMSOM object by passing the name of the OU to be linked to the GPMDomain.GetSOM method. Once I instantiate this object, I can call GPMSOM.CreateGPOLink to create a GPO link to the OU.

9.12.4 See Also

MS KB 248392 (Scripting the Addition of Group Policy Links) and MSDN: GPMSOM.CreateGPOLink



    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List