Software Deployment to Machines

From: gma13 (anonymous_at_discussions.microsoft.com)
Date: 05/26/04 

Date: Wed, 26 May 2004 06:20:38 -0700

Yes, I went back and granted the group Domain Computers
read access to the share in addition to the Authenticated
Users.
Inside of GPMC in the modeling tree when I run the
modeling wizzard and create a query against a particular
user/computer I get the results that the package will be
deployed. However, inside of the results tree I get the
results that the GP is denied due to security filtering.
I am aware (Now) that the results tree is only displaying
in GUI format the same thing that gpresults returns and
unless you run a gpupdate first you are not necessarily
looking at what the latest set of GP's are doing to you.
With all of that said, I'm still stuck with a GP that when
I security filter it to a DL group which has as it's
member a Global group which has as it's members a select
number of computers, I end up with no actual deployment
due to security filtering but a simulated model deployment
stating that it will be processed.
Continuing my debugging process I added the Authenticated
Users to the security filtering BUT I went to the
delegation tab and removed the Apply Group Policy so as to
keep all users from getting the GP applied to them. Again
modeling says it works, results says it doesn't.
Finally I went and said apply group policy to the
Authenticated Users group and then modeling agrees with
results and I get deployment.
The problem is that now I get deployment on every computer
whether it is in the security filtering for the computer
or not. It's looking more and more like the only
alternative is to create groups of computers that I don't
want the application applied to and set up deny filtering
either by deselecting the read permision or to go after
the share and remove the read permission on the share
itself.
Help!
>-----Original Message-----
>Have you given the workstations read permissions on the
>share?
>I've got Office installing on boot up on the workstations
>and without giving the workstations read access it will
>fail
>
>Ollie
>
>>-----Original Message-----
>>Let me start out by saying this worked under W2K
server.
>>I'm trying to deploy Office to a select number of
>>computers running XP/W2K Wkstn/2003 Server. Following
>the
>>best practices protocol:
>>I created a global security group in the computers
>>container and placed the above mentioned machines into
>the
>>list of members.
>>I created a domain local security group and made the
>above
>>mentioned global group a member of.
>>I created a shared directory to place the MSI package
>into
>>and set the permisions on the share to read only for
>>authenticated users nothing was denied.
>>I went into gpmc and created a new GP and edited it from
>>there.
>>Under computer configuration-software setting I created
a
>>new package which I selected as advanced assigned. This
>>was done so that I could apply a MST under the
>>modifications tab.
>>Back in gpmc I removed the authenticated users from the
>>security filtering area and added the domain local
>>security group I created above.
>>I then linked the GP at the domain level.
>>I then ran gpupdate /force on the same server that all
of
>>the other tasks above was run on and if everything was
>>going to function correctly I would be greeted with a
>>prompt that says a re-boot would be required in order to
>>install the software. That was not the case.
>>Obviously I missed something but I don't see where.
>After
>>reading several posts I was asking myself that maybe the
>>permissions on the share should be set to everyone read
>>because when the computer side GP is applied the machine
>>doesn't have an authenticated user attached to it. I
>have
>>tried numerous combinations over the past week and have
>>not gotten the modeling section to agree with what
>>actually happens on the client.
>>.
>>
>.
>

Relevant Pages

  • GPO not working
    ... Check to make sure that the security filtering includes ... Authenticated users or the group in which the users are ... users is located in the OU which the policy applies. ... >name in AD Users and Computers. ...
    (microsoft.public.windows.group_policy)
  • Re: ADM not pushed to OU
    ... The configured CLASS is machine, so you to use the computers instead of domain ... Or to make live easy choose authenticated users, ... I have changed the security filter to: Authenticated Users. ...
    (microsoft.public.windows.group_policy)
  • Re: GPO Not Being Applied
    ... IIRC Security filtering requires that the computers or users are in that OU where the policy is linked to on which you use security filtering. ... Best regards ... I somewhat have to disagree about Policies can not be applied ...
    (microsoft.public.windows.server.active_directory)
  • RE: AD users and computers security
    ... computers and logged on as that test user to test admin capabilities. ... Authenticated Users was included on all OUs with read permissions -- that's ... > Authenticated Users Group Has Too Many Permissions to the SYSVOL Network ... Windows Server 2003 family provides three groups whose ...
    (microsoft.public.windows.server.migration)
  • Re: GPO Not Being Applied
    ... If they are in the OU where the policy is linked to you can use the security filtering. ... So the computers are not in the OU where the polciy is linked? ... I have server 2003 environment and have created a GPO where I want ...
    (microsoft.public.windows.server.active_directory)