Limiting Group Policy Script Execution To Specific Subnets

Recently I had an interesting problem that arose regarding a rollout of Citrix Receiver to all corporate computers.  The issue was that the rollout was going to be done by subnet (a limitation introduced by the thin clients in use) and not by some of the other typical grouping logic that has been used in the past.  Due to the problem that our users are not administrators of their machines, we could not just ask them to install the software themselves.  Additionally, since our OUs do not mimic our subnet structure, this created and issue when doing an application push to everyone using group policy.

So what I needed to find was a way to apply an installation script to all computer accounts that only executed the install if your computer was a member of one of the targeted subnets.  I had batch scripting and vbscript as options as this was being done through Active Directory and powershell is not installed on most workstations.  Here’s are the scripts that ended up accomplishing the task:

Script 1: receiver-install.bat

Script 2: receiver-install-2.bat

File 1: subnets.txt

So let’s break this down a bit and look at what is actually happening…

First, an Active Directory GPO is applied to the top level of your computers OU that executes receiver-install.bat.  Since our users are not administrators, we did this as a computer startup script since that is run as the SYSTEM user.  If your users have installation privileges this could just as easily be applied as a login script for the user using loopback processing of group policy objects.

Once the script is running as an administrator, it reads a file named subnets.txt line by line.  This file should be maintained on a central file share and will be the file used to control which subnets are targeted for installation.  Each line of the subnets.txt file is read into a variable and then receiver-install-2.bat is called with that subnet as an argument.

Here is where things get interesting.  We need to verify that the machine is currently a member of one of the target subnets using only commands available to us in batch scripting.  Here is where a little command line kung-fu can help.  Most of us know that issuing the ipconfig command will list out all of the IP addresses a machine is currently using.  This command also give us quite a bit of additional information that isn’t required for our purposes.

ipconfig output

In order to pare this down we’re going to use the pipe (|) and the find command to identify the line we are looking for.  The actual command in the script looks like this:  ipconfig | find /i “IPv4 Address”  An output of that command is in the window below:

“IPv4 Address” is specific to Vista and Windows 7 machines so we also check for “IP Address” which is the heading used by 2000/XP machines as well.  We then run another find against the line that is returned and if we find that the subnet matches the one used in calling the script we continue to the installation portion.  Otherwise we gracefully exit the script and try the next subnet.

From here on out anything can be placed in the installation portion of the script.  As stated above, we were using the script to install receiver.  We run a couple of checks to see if it is already installed, and if it isn’t, we run the installation.

I hope this can help some of you who may find yourself in a similar situation.  I’m sure there are far more graceful and elegant ways to handle this specific scenario and I would love to hear them if you have them.



  1. Just wanted to say “thanks.” I was in a pinch tonight when a client sprung a request on me: “Hey, you know that Trend Micro install we asked you to do on all 75 workstations in our company? The one you’ve spent a day writing a batch script & a GPO for? Yeah, we decided we only want to deploy it to one site at a time, is that a problem?”

    They do not have separate OUs for the sites in AD and I’m something of a n00b… I found this after ~25 minutes of frantic Googling and copied it wholesale. Worked like a champ & the single-site deployment is in progress tonight! Assuming all goes well we’ll deploy to the other sites tomorrow & over the weekend – and very easily thanks to you & this blog.

    I’ve bookmarked you & will be checking back for more! Many many thanks, you’ve saved this n00b of a mercenary (consultant) sysadmin a long sleepless night!

Leave a Reply

Your email address will not be published. Required fields are marked *