Deployment with GPOs.
-
Tuesday, May 22, 2012 3:58 PM
We have a problem regarding the deployment of an image via MDT and the application of security GPO's.
The problem is that our organization uses GPO's to enforce security on computers.
One of the GPO changes the password for the local administrator when a new computer joins the domain.
We wanted to automatically join the computer, in the deployment phase, to the domain.
The computer joins the domain but after that, the deployment can no longer procede because the administrator password has changed.
Is it possible to join the domain as the last task in the TaskSequence?
Or block the application of the GPO until the TaskSequence is finished?
Gilbert Voyer Montréal
All Replies
-
Tuesday, May 22, 2012 4:39 PM
I keep meaning to write a post on this. The process goes as follows:
- Create an OU that blocks
GPO inheritence
Use this OU as a staging OU for your computers during builds (Here they will be immune from Group policy) - eg: in the custom settings add this line
MachineObjectOU=OU=BuildArea,OU=Scriptimus,DC=Machina,DC=com (only for new computers, this will not move existing computers) - As the last task sequence step, move the computers to the correct OU (Via custom script)
Blog: http://scriptimus.wordpress.com/
- Create an OU that blocks
GPO inheritence
.png)
