You want to apply the GPO settings to the users and/or computers in an OU. This is called linking a GPO to an OU.
Open the GPMC snap-in.
In the left pane, expand the Forest container, expand the Domains container, and browse to the target domain.
Right-click on the OU you want to link and Link an Existing GPO.
Select from the list of available GPOs and click OK.
' This code links a GPO to an OU ' ------ SCRIPT CONFIGURATION ------ strGPO = "<GPOName>" ' e.g. Sales GPO strDomain = "<DomainDNSName>" ' e.g. strOU = "<OrgUnitDN>" ' e.g. ou=Sales,dc=rallencorp,dc=com intLinkPos = -1 ' set this to the position the GPO evaluated at ' a value of -1 signifies appending it to the end of the list ' ------ END CONFIGURATION --------- set objGPM = CreateObject("GPMgmt.GPM") set objGPMConstants = objGPM.GetConstants( ) ' Initialize the Domain object set objGPMDomain = objGPM.GetDomain(strDomain, "", objGPMConstants.UseAnyDC) ' Find the specified GPO set objGPMSearchCriteria = objGPM.CreateSearchCriteria objGPMSearchCriteria.Add objGPMConstants.SearchPropertyGPODisplayName, objGPMConstants.SearchOpEquals, cstr(strGPO) set objGPOList = objGPMDomain.SearchGPOs(objGPMSearchCriteria) if objGPOList.Count = 0 then WScript.Echo "Did not find GPO: " & strGPO WScript.Echo "Exiting." WScript.Quit elseif objGPOList.Count > 1 then WScript.Echo "Found more than one matching GPO. Count: " & _ objGPOList.Count WScript.Echo "Exiting." WScript.Quit else WScript.Echo "Found GPO: " & objGPOList.Item(1).DisplayName end if ' Find the specified OU set objSOM = objGPMDomain.GetSOM(strOU) if IsNull(objSOM) then WScript.Echo "Did not find OU: " & strOU WScript.Echo "Exiting." WScript.Quit else WScript.Echo "Found OU: " & objSOM.Name end if on error resume next set objGPMLink = objSOM.CreateGPOLink( intLinkPos, objGPOList.Item(1) ) if Err.Number <> 0 then WScript.Echo "There was an error creating the GPO link." WScript.Echo "Error: " & Err.Description else WScript.Echo "Sucessfully linked GPO to OU" end if
Linking a GPO is the process whereby you assign a SOM, which can be an OU, site, or domain. The solutions show how to link a GPO to an OU, but they could be easily modified to link to a site or domain.
See Recipe 5.11 for details on how to link an OU by modifying the gpLink attribute, instead of using the GPMC interface.
To link a GPO, I first have to find the target GPO. I use a GPMSearchCriteria object to find the GPO that is equal to the display name of the GPO specified in the configuration section. I use an if elseif else conditional statement to ensure that only one GPO is returned. If zero or more than are are returned, I abort the script. If only one GPO was returned, I instantiate a GPMSOM object by passing the name of the OU to be linked to the GPMDomain.GetSOM method. Once I instantiate this object, I can call GPMSOM.CreateGPOLink to create a GPO link to the OU.
MS KB 248392 (Scripting the Addition of Group Policy Links) and MSDN: GPMSOM.CreateGPOLink