A lot of the work I do around Active Directory and Azure AD is for our OneMTC.net environment used by our global Microsoft Technology Centers. It is built around a number of region-based organizational units which then have child OUs for each MTC.
The requirement was to create a number of GPOs for each MTC which could then be modified by the local administrator of the MTC. To do this I created two template GPOs with most of the basic settings which I then just needed to copy to a new, per-MTC GPO instance then link to the GPO. This was very easy with PowerShell and the GroupPolicy module.
I also had already created the GPOs for a couple of MTCs so wanted to skip creating the objects for them. In the PowerShell below you can see I have a variable for the top-level of the MTC and then an array of the top level regional OUs. From there I have the names of the GPO templates and an array of the MTCs to skip. At that point I just enumerate for OUs, copy the GPOs and link the new per-instance GPO to the OU.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
Import-Module GroupPolicy $RootDomain = "DC=onemtc,DC=net" $TopLevelRegions = "APAC","EMEA","NA" $WSUSConfigTemplateName = "WSUS Configuration" $AdminTemplateName = "MTC Admins Template" $MTCsToSkip = "DAL","ATL","DEN","MPLS" foreach($TopLevelRegion in $TopLevelRegions) { $MTCOUs = Get-ADOrganizationalUnit -filter * -searchbase "OU=$TopLevelRegion,$RootDomain" -SearchScope OneLevel -Properties Name, Description foreach($MTCOU in $MTCOUs) { $MTCCode = $MTCOU.Name.Substring(3) if($MTCsToSkip -notcontains $MTCCode) { Write-Output "Creating GPOs and linking for MTC $MTCCode" #Copy the two templates to the new names Copy-GPO -SourceName $AdminTemplateName -TargetName "$MTCCode Admins" Copy-GPO -SourceName $WSUSConfigTemplateName -TargetName "$MTCCode WSUS Config" #Link the GPOs to the OU New-GPLink -Name "$MTCCode Admins" -Target $MTCOU.DistinguishedName New-GPLink -Name "$MTCCode WSUS Config" -Target $MTCOU.DistinguishedName } } } |