Univention Bugzilla – Bug 47915
Assign GPOs to computer rooms / Move computer objects to OUs
Last modified: 2020-07-21 13:26:45 CEST
A school customer separates their Windows clients in computer rooms. Now they want to assign various (non-compatible) GPOs to those rooms, but the rooms are not available in the Group Policy Management Tool because GPOs can only be assigned to OUs. The customer would have to create a new OU and move their computer objects there to be able to assign GPOs to the rooms. It would be nice, if there was a feature (UCRV controlled?) that created OUs for the computer rooms, thus allowing for group policy assignment. Currently the computers are saved at LDAP Base -> school OU -> computers (CN) Since containers below OUs inherit GPOs we could change the LDAP layout as follows for example, allowing for GPO assignment based on computer rooms: Client with no room assignment: LDAP Base -> school OU -> computers (CN) -> client A LDAP Base -> school OU -> computers (CN) -> client B Client with room assignment: LDAP Base -> school OU -> computer rooms OU -> room 1 OU -> computers (CN) -> client A LDAP Base -> school OU -> computer rooms OU -> room 2 OU -> computers (CN) -> client B
IMHO we should start creating the whole structure underneath the school OUs as organizational units instead of simple containers. This would make GPO management much easiert, but we somehow have to migrate existing installation, then. On the other hand: GPOs can be limited to certain groups with the feature "Security Filtering". And computerrooms are just that (groups). So it should be possible to link all GPOs for all computerrooms to the school OU (or even the LDAP base), but then use the Security Filtering to apply certain GPOs only to certain groups.
(In reply to Michael Grandjean from comment #1) > IMHO we should start creating the whole structure underneath the school OUs > as organizational units instead of simple containers. This would make GPO > management much easiert, but we somehow have to migrate existing > installation, then. > > On the other hand: GPOs can be limited to certain groups with the feature > "Security Filtering". And computerrooms are just that (groups). So it should > be possible to link all GPOs for all computerrooms to the school OU (or even > the LDAP base), but then use the Security Filtering to apply certain GPOs > only to certain groups. Thanks for the hint towards Security Filtering. That's indeed a nice workaround. In case there are no technical reasons not to switch from CNs to OUs I'd still support the idea because just like you pointed out the OU structure in the Group Policy Manager is much more intuitive.
We - users of paedML Linux with UCS 4.3 - would be very interested in an OU-type implementation of rooms and classes in UCS@school.