Re: Group Policy - Pushing out Software
- From: "Gene" <Gene@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 23 Aug 2005 14:05:17 -0700
Hi Cary. Thanks for the response.
Yeah, I know the way we access users machines using Remote Desktop
Connection may not be ideal. The idea is to access peoples workstations
remotely (actually within our office), log on as them and do updates, without
actually visiting the various users offices or creating major changes to
their desktops. Security wise, probably not to smart; practically, it makes
life easy for 2 administrators keeping 80 users machines updated. I came into
this late in the game. This dubious IT policy was established before I got
here. Also, computers cascade as new employees come in, as is the case with
most of us I imagine. So, as I said, end users are administrators on their
local machines.
That being said, I have played around with SUS and a little with WSUS more
recently. I found SMS a little bit cumbersome for some projects, so
distributing .msi's via Group Policy is very attractive. In the case of
volume licensed software, distributing to all profiles on a machine is fine,
but to fine tune that in other licensing scenario’s, I’d like to distribute
packages to specific profiles only.
I haven’t tried filtering so I appreciate that tip. Also, using OU’s, say
one for notebooks and one for desktops is a very real possibility, I have
considered. I work for an accounting firm, so notebook users tend to be out
of the office doing audits, while the desktop users tend to be tax people and
in the office most of the time.
I’ll check out your filtering suggestion.
Thanks again for your ideas.
Gene
"Cary Shultz [A.D. MVP]" wrote:
> Gene,
>
> Sorry for that....
>
> Anyway, back to what I was trying to say ;-)
>
> 1) when you add the domain user account object to the computer's local
> Administrator group you are allowing that user to do anything and everything
> on that computer. That is to say, that this user would have access to
> everything and could do anything on that machine. This will eventually lead
> to problems for you ( all I need to say is 'hotbar' or AOL IM and you should
> get the picture )! I would strongly suggest that this not be done. By
> default, the security group 'Domain Users' is added to the computer's local
> Users group. This may not be enough for some things ( like adding
> printers ). I might suggest that you consider adding the Domain user
> account objects to the computer's local Power Users group....at most. You
> can easily achieve this by looking at the Restricted Groups group policy.
>
> 2) when logging in remotely to someone's system ( via VNC or something
> similar ) to do repairs and updates ( and I hope by updates that you do not
> mean the updates from windowsupdate.microsoft.com or to OS Service Packs or
> to Office Service Packs!!!! ) I might suggest that the support staff log on
> either as the local administrator or themselves. I used to manage a 300+
> computer environment ( WINNT 4.0 before it became WIN2000 ) and I did all of
> this sorta thing remotely ( often via a VPN connection from home to the VPN
> Server and then from there to the machines via VNC ). It took hours to do
> and was definitely ***NOT*** the way to do it. Depending on what you mean I
> might take a look at SUS - or now WSUS - for the OS updates and at deploying
> software via GPO. But, you may be talking about something completely
> different so my comments may not apply.
>
> 3) if you want to deploy software to certain user account objects only then
> I might suggest that you make use of either Security Group Filtering when
> configuring the GPO or restructuring your OU layout. Naturally, you would
> need to deploy the software to the user configuration side of things.
>
> What is it specifically that you want to do?
>
> --
> Cary W. Shultz
> Roanoke, VA 24012
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "Gene" <Gene@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:38FF2368-BD40-4D8E-8825-9A74A3EB4E0B@xxxxxxxxxxxxxxxx
> > Hi folks,
> >
> > I pushed out some software by group policy on Friday and when it was all
> > said and done, it pushed out the sw to all Win XP profiles on the test
> > machine. One thing to note; for administrative purposes, when a user is
> > set
> > up on a machine, they are set up as machine administrators for
> > administrative
> > reasons, ie, so administrators can remote in using a users logon to make
> > updates and repairs. In this senario, is it possible to push the sw out to
> > only a specifically desired profile? Most of our workstations have
> > multiple
> > profiles, so this is an issue.
> >
> > Thanks very much for your thoughts!
> > Gene
>
>
>
.
- Follow-Ups:
- Re: Group Policy - Pushing out Software
- From: Cary Shultz [A.D. MVP]
- Re: Group Policy - Pushing out Software
- References:
- Group Policy - Pushing out Software
- From: Gene
- Re: Group Policy - Pushing out Software
- From: Cary Shultz [A.D. MVP]
- Group Policy - Pushing out Software
- Prev by Date: Re: cmd.exe
- Next by Date: Re: ADAM Authentication in ASP.NET
- Previous by thread: Re: Group Policy - Pushing out Software
- Next by thread: Re: Group Policy - Pushing out Software
- Index(es):
Relevant Pages
|
