A lot of the work I do around Active Directory and Azure AD is for our OneMTC.net environment used by our global Microsoft Technology Centers. It is built around a number of region-based organizational units which then have child OUs for each MTC.
The requirement was to create a number of GPOs for each MTC which could then be modified by the local administrator of the MTC. To do this I created two template GPOs with most of the basic settings which I then just needed to copy to a new, per-MTC GPO instance then link to the GPO. This was very easy with PowerShell and the GroupPolicy module.
I also had already created the GPOs for a couple of MTCs so wanted to skip creating the objects for them. In the PowerShell below you can see I have a variable for the top-level of the MTC and then an array of the top level regional OUs. From there I have the names of the GPO templates and an array of the MTCs to skip. At that point I just enumerate for OUs, copy the GPOs and link the new per-instance GPO to the OU.
Import-Module GroupPolicy
$RootDomain = "DC=onemtc,DC=net"
$TopLevelRegions = "APAC","EMEA","NA"
$WSUSConfigTemplateName = "WSUS Configuration"
$AdminTemplateName = "MTC Admins Template"
$MTCsToSkip = "DAL","ATL","DEN","MPLS"
foreach($TopLevelRegion in $TopLevelRegions)
{
$MTCOUs = Get-ADOrganizationalUnit -filter * -searchbase "OU=$TopLevelRegion,$RootDomain" -SearchScope OneLevel -Properties Name, Description
foreach($MTCOU in $MTCOUs)
{
$MTCCode = $MTCOU.Name.Substring(3)
if($MTCsToSkip -notcontains $MTCCode)
{
Write-Output "Creating GPOs and linking for MTC $MTCCode"
#Copy the two templates to the new names
Copy-GPO -SourceName $AdminTemplateName -TargetName "$MTCCode Admins"
Copy-GPO -SourceName $WSUSConfigTemplateName -TargetName "$MTCCode WSUS Config"
#Link the GPOs to the OU
New-GPLink -Name "$MTCCode Admins" -Target $MTCOU.DistinguishedName
New-GPLink -Name "$MTCCode WSUS Config" -Target $MTCOU.DistinguishedName
}
}
}
Blog of John Savill 