VMware Horizon Community
vheff
Enthusiast
Enthusiast
‎02-09-2008 11:22 AM

Active Directory GPO for auto provisioned machines

Hi all,

Is it possible to apply a group policy GPO to VDI's that are automatically provisioned in my non-persistant pool? I've created an OU called Virtual Desktops, applied a GPO to it, but all the virtual desktops that get created end up in the default computers container (as you would expect). There must be a way of getting these to automatically appear in my OU, or at least apply my GPO to them some how?

Reply
0 Kudos
11 Replies
vheff
Enthusiast
Enthusiast
‎02-10-2008 07:54 AM

Ok, I've figured out a way of doing this. Just to recap, I wanted to do the following:

  1. Create a non-persistant pool, with 5 virtual machines to be automatically created and made available.

  2. When each virtual machine is cloned from the template, I was it to move into a particular OU within Active Directory so my VDI group policy settings take effect.

I thought this would be simple enough, but found it a little more complicated that I first thought. If anyone has a better method then please let me know Smiley Wink

My solution uses a VBS script in conjuction with a custom template and Sysprep.

Go to Virtualcenter client > Edit > Customization specifications:

  1. Make sure the computer name uses the virtual machine name.

  2. Run once at logon the VBS script (attached, just copy to the C: drive of the virtual machine template)

  3. The script then moves the computer object to the desired OU, then reboots so the GPO settings are taken into effect.

I used the script provided by Matt Broadstock at www.smsutils.com found here: but amended it to fit my requirements (see attached).

This works fine, but I wondered if anyone else has a better / different way of achieving this?

Ray

movethisvm.vbs
Reply
0 Kudos
Evileye
Contributor
Contributor
‎02-10-2008 01:57 PM

I have tried this script in my VDM test lab and it works great.

Not sure how that extra reboot would affect a live environment where desktops are dynamically being deployed.

Specifying an OU for virtual desktop pools should be built in to the product.

This would make applying Group Policy to VDM pools much easier.

Reply
0 Kudos
patrickrouse
Enthusiast
Enthusiast
‎02-18-2008 11:13 AM

This is one of the features we added to the GUI Sysprep Editor with our connnection broker, i.e. the ability to add the computers to a specific OU so they don't need to be pre-staged, or dumped into the default Computers OU. This way they get the correct machine GPOs the first time the computer object's account authenticates with AD. Our connection broker utilizes the VMware SDK to accomplish this.

Patrick Rouse

Microsoft MVP - Terminal Server

SE, Western USA & Canada

Quest Software, Provision Networks Division

(619) 994-5507

http://www.provisionnetworks.com

Reply
0 Kudos
nkrick
Enthusiast
Enthusiast
‎02-21-2008 11:40 AM

Sysprep Mini setup can place the computer in the OU that you specify. In the sysprep.inf file, in the \[Identification] section, add MachineObjectOU="OU=Desktops,OU=Machines,DC=Domain,DC=local" using the proper syntax for your domain. I have not installed VC 2.5 yet, but my understanding is that in VC 2.5, you can provide a custom sysprep.inf file. This should avoid the need for any additional restarts.

Since it will be pretty standard practice for people to want to apply specific GPO's to VDI's, IMO, VMware should provide the ability to set the OU directly in the Customization GUI...

Reply
0 Kudos
Chris_S_UK
Expert
Expert
‎03-13-2008 04:07 AM

Assuming for a moment that no special mechanism is used to create/move the computer account into a different OU, I suppose you could ensure the group policy is applied even in the Computers OU by using a WMI filter for the policy, filtering on machine name starting "vdi.." or whatever your naming convention is....?

Chris

Reply
0 Kudos
dingding
Enthusiast
Enthusiast
‎01-05-2010 11:16 PM

the script is good. but why we need this script. when deploy pool, there's a setting to specify the AD container.

---- Idleness is not doing nothing. Idleness is being free to do anything.
Reply
0 Kudos
hmartin
Enthusiast
Enthusiast
‎01-06-2010 09:46 AM

The setting for the AD container only applies when using vComposer-enabled pools.

Reply
0 Kudos
hmartin
Enthusiast
Enthusiast
‎01-06-2010 09:47 AM

For whatever it's worth, here's how we did it: http://communities.vmware.com/message/1438751#1438751

Reply
0 Kudos
dingding
Enthusiast
Enthusiast
‎01-06-2010 05:54 PM

ok. i got it.

---- Idleness is not doing nothing. Idleness is being free to do anything.
Reply
0 Kudos
cconnelly
Contributor
Contributor
‎12-13-2010 01:41 PM

A am trying to do this for Windows 7/2008 R2 and I am trying to utilize the method that l9nux posted, but I am confused on how the credentials work. When I add the VBS script to the Run Once section it tries to run it under the local Administrator and errors out. Is there something that I am missing?

Reply
0 Kudos
justinsmith
Enthusiast
Enthusiast
‎04-06-2011 01:36 PM

This script sounds perfect for my environment except for one thing.... I use the actual VM Customization with no sysprep.

I essentially just need a script to run that will move specific machines with specific characters in the computer name (We have different pools that create different computer names, so I'd like the script to move the machines based on the computer names.) for example: vdipilot0001, vdiers0001, vdimwf0001, so I'd like the script to move all vdiers machines to a specific OU.... is this doable? Would I need the script to be a scheduled task that runs on a server every x mins or hours?

Thanks!

Reply
0 Kudos