Re: Group Policy - Pushing out Software
- From: "Cary Shultz [A.D. MVP]" <cwshultz@xxxxxxxx>
- Date: Mon, 22 Aug 2005 22:26:57 -0400
Gene,
Sorry for that....
Anyway, back to what I was trying to say ;-)
1) when you add the domain user account object to the computer's local
Administrator group you are allowing that user to do anything and everything
on that computer. That is to say, that this user would have access to
everything and could do anything on that machine. This will eventually lead
to problems for you ( all I need to say is 'hotbar' or AOL IM and you should
get the picture )! I would strongly suggest that this not be done. By
default, the security group 'Domain Users' is added to the computer's local
Users group. This may not be enough for some things ( like adding
printers ). I might suggest that you consider adding the Domain user
account objects to the computer's local Power Users group....at most. You
can easily achieve this by looking at the Restricted Groups group policy.
2) when logging in remotely to someone's system ( via VNC or something
similar ) to do repairs and updates ( and I hope by updates that you do not
mean the updates from windowsupdate.microsoft.com or to OS Service Packs or
to Office Service Packs!!!! ) I might suggest that the support staff log on
either as the local administrator or themselves. I used to manage a 300+
computer environment ( WINNT 4.0 before it became WIN2000 ) and I did all of
this sorta thing remotely ( often via a VPN connection from home to the VPN
Server and then from there to the machines via VNC ). It took hours to do
and was definitely ***NOT*** the way to do it. Depending on what you mean I
might take a look at SUS - or now WSUS - for the OS updates and at deploying
software via GPO. But, you may be talking about something completely
different so my comments may not apply.
3) if you want to deploy software to certain user account objects only then
I might suggest that you make use of either Security Group Filtering when
configuring the GPO or restructuring your OU layout. Naturally, you would
need to deploy the software to the user configuration side of things.
What is it specifically that you want to do?
--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP
http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
"Gene" <Gene@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:38FF2368-BD40-4D8E-8825-9A74A3EB4E0B@xxxxxxxxxxxxxxxx
> Hi folks,
>
> I pushed out some software by group policy on Friday and when it was all
> said and done, it pushed out the sw to all Win XP profiles on the test
> machine. One thing to note; for administrative purposes, when a user is
> set
> up on a machine, they are set up as machine administrators for
> administrative
> reasons, ie, so administrators can remote in using a users logon to make
> updates and repairs. In this senario, is it possible to push the sw out to
> only a specifically desired profile? Most of our workstations have
> multiple
> profiles, so this is an issue.
>
> Thanks very much for your thoughts!
> Gene
.
- Follow-Ups:
- Re: Group Policy - Pushing out Software
- From: Gene
- Re: Group Policy - Pushing out Software
- References:
- Group Policy - Pushing out Software
- From: Gene
- Group Policy - Pushing out Software
- Prev by Date: Re: Group Policy - Pushing out Software
- Next by Date: Re: Folder Replication
- Previous by thread: Re: Group Policy - Pushing out Software
- Next by thread: Re: Group Policy - Pushing out Software
- Index(es):
Relevant Pages
|
