A new project came up for me that involved rebuilding our System Center Configuration Manager servers. Being a small environment, our Config Mgr server hosts our WSUS role. Once that server was up and running my next task was to switch over all our clients to the new server. The existing group policy objects weren't best practice and didn't meet our organization requirements. Initially I was planning on reusing the old objects but decided to just scrap them.The first step was to remove the links using commands similar to this:
Remove-GPLink -Name "WSUS-OldPolicy" -Target "OU=TargetOU,DC=domain.DC=com"
I ended up copying this line and changing the Target for each OU I wanted to remove it from. I also could have read a csv full of the OUs if there was going to be a lot. I had issues with the Target syntax that I couldn't seem to figure out. I ended up opening the properties of the OU in ADUC and viewing the distinguishedName.
If I wanted to remove the policy completely I could have run:
Remove-GPO -Name "WSUS-OldPolicy"
I typically don't delete policies right away so I'll save that for later. Running the Remove-GPO cmdlet will also remove the links.
The next step was to create a new policy.
New-GPO -Name "WSUS-NewPolicy"
Once the policy is created you can link it to the OU that needs it.
New-GPLink -name "WSUS-NewPolicy -target "OU=TargetOU,DC=domain,DC=com"
A shorthand to combine the commands and only need to link it to one place would be:
New-GPO -Name "WSUS-NewPolicy" | GPLink -target "OU=TargetOU,DC=domain,DC=com"
Now that the GPO has been created and linked. You can edit it to the configuration you want.
*Note: I typically don't link GPOs until after they have been configured. Then I link them to my test OU and test them. After those steps do I finally link them to production OUs and I typically start with a couple lower priority ones, then link it to all production OUs.
No comments:
Post a Comment