Re: Group Policy - Pushing out Software

Gene,

Glad that I was able to help a little bit.

I used to work in an environment ( WINNT before it became WIN2000 ) where
there were 300 users and - as I already mentioned - I went through a lot of
different ways of doing things before I just said, "The heck with it....I am
going to VNC into the computer, log on as the local Admin and do my thing".
I was essentially the only one who did this ( of the three or four of us )
so time was of the essence. I spent a good amount of time at the office on
the weekends and 'over night' doing all of this crappola. Then I decided
that VPN and VNC would be a better way to go. At least I could watch the
ball game!

When we merged with another company and became a WIN2000 AD environment I
tried to automate as much as possible. We now had two buildings ( and one
of the buildings had very tight security! ) and several floors so going from
building to building and from floor to floor was not a 'good time'.

The use of OUs should be well planned out. You want to consider how you
will be doing things and make your OU structure facilitate this. Ideally,
you do not want to use group filtering ( well, not entirely true but it does
add a bit more to trouble shooting! ). Obviously, that will not always be
possible ( like in your case! ). It is a very nice tool to have. If you
have any questions on how this works feel free to ask. There is ample
information on this, though. But, I am always glad to help when and where I
can!

I would suspect that you are familiar with 'updates' via GPO. What do I
mean by that? Let's say that you are still on Office 2000. Well, SP2 came
a long and so did SP3. Do you really want to have to go to 300 computers,
put in the original Office 2000 CD-Media ( the one from which Office was
installed initially ) and then do the SP3 update? I did that once! Never
again!!!!!!!

You can install Office via GPO ( either to the user configuration side of
things or to the computer configuration side of things.... ). You would
simply do the Administrative installation of Office 2000 ( setup.exe /a ) to
a network location. You then create the GPO and link it to the appropriate
OU. Now, when SP4 comes out all you need to do is to 'update' the
Administrative installation ( okay, specifically with Office 2000 you need
to be at SR-1a before you can update to SP2 or SP3 or, eventually SP4 ).
Then, all you do is go to that GPO and select 'redeploy'. So, the next time
that the user logs on or the next time that the computer is restarted the
'updated' Office installation will be installed ( and this takes several
minutes.....essentially the previous 'version' is removed and the new
'version' is installed ). Also, please note that were you to standardize on
Office 2003 you could use GPO to 'upgrade' from Office 2000 or Office 2003.
All really kewl stuff.

Now, and I will say this only once as it is not my show - I might revisit
the policies and procedure and try to convince the powers that be that there
are better ways to do things and here are the reasons why.....

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Gene" <Gene@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E8029B5A-E790-4B0A-AB2F-E5C407B7AA78@xxxxxxxxxxxxxxxx
> Hi Cary. Thanks for the response.
>
> Yeah, I know the way we access users machines using Remote Desktop
> Connection may not be ideal. The idea is to access peoples workstations
> remotely (actually within our office), log on as them and do updates,
> without
> actually visiting the various users offices or creating major changes to
> their desktops. Security wise, probably not to smart; practically, it
> makes
> life easy for 2 administrators keeping 80 users machines updated. I came
> into
> this late in the game. This dubious IT policy was established before I got
> here. Also, computers cascade as new employees come in, as is the case
> with
> most of us I imagine. So, as I said, end users are administrators on their
> local machines.
>
> That being said, I have played around with SUS and a little with WSUS more
> recently. I found SMS a little bit cumbersome for some projects, so
> distributing .msi's via Group Policy is very attractive. In the case of
> volume licensed software, distributing to all profiles on a machine is
> fine,
> but to fine tune that in other licensing scenario's, I'd like to
> distribute
> packages to specific profiles only.
>
> I haven't tried filtering so I appreciate that tip. Also, using OU's, say
> one for notebooks and one for desktops is a very real possibility, I have
> considered. I work for an accounting firm, so notebook users tend to be
> out
> of the office doing audits, while the desktop users tend to be tax people
> and
> in the office most of the time.
>
> I'll check out your filtering suggestion.
>
> Thanks again for your ideas.
> Gene
>
>
> "Cary Shultz [A.D. MVP]" wrote:
>
>> Gene,
>>
>> Sorry for that....
>>
>> Anyway, back to what I was trying to say ;-)
>>
>> 1) when you add the domain user account object to the computer's local
>> Administrator group you are allowing that user to do anything and
>> everything
>> on that computer. That is to say, that this user would have access to
>> everything and could do anything on that machine. This will eventually
>> lead
>> to problems for you ( all I need to say is 'hotbar' or AOL IM and you
>> should
>> get the picture )! I would strongly suggest that this not be done. By
>> default, the security group 'Domain Users' is added to the computer's
>> local
>> Users group. This may not be enough for some things ( like adding
>> printers ). I might suggest that you consider adding the Domain user
>> account objects to the computer's local Power Users group....at most.
>> You
>> can easily achieve this by looking at the Restricted Groups group policy.
>>
>> 2) when logging in remotely to someone's system ( via VNC or something
>> similar ) to do repairs and updates ( and I hope by updates that you do
>> not
>> mean the updates from windowsupdate.microsoft.com or to OS Service Packs
>> or
>> to Office Service Packs!!!! ) I might suggest that the support staff log
>> on
>> either as the local administrator or themselves. I used to manage a 300+
>> computer environment ( WINNT 4.0 before it became WIN2000 ) and I did all
>> of
>> this sorta thing remotely ( often via a VPN connection from home to the
>> VPN
>> Server and then from there to the machines via VNC ). It took hours to
>> do
>> and was definitely ***NOT*** the way to do it. Depending on what you
>> mean I
>> might take a look at SUS - or now WSUS - for the OS updates and at
>> deploying
>> software via GPO. But, you may be talking about something completely
>> different so my comments may not apply.
>>
>> 3) if you want to deploy software to certain user account objects only
>> then
>> I might suggest that you make use of either Security Group Filtering when
>> configuring the GPO or restructuring your OU layout. Naturally, you
>> would
>> need to deploy the software to the user configuration side of things.
>>
>> What is it specifically that you want to do?
>>
>> --
>> Cary W. Shultz
>> Roanoke, VA 24012
>> Microsoft Active Directory MVP
>>
>> http://www.activedirectory-win2000.com
>> http://www.grouppolicy-win2000.com
>>
>>
>>
>> "Gene" <Gene@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:38FF2368-BD40-4D8E-8825-9A74A3EB4E0B@xxxxxxxxxxxxxxxx
>> > Hi folks,
>> >
>> > I pushed out some software by group policy on Friday and when it was
>> > all
>> > said and done, it pushed out the sw to all Win XP profiles on the test
>> > machine. One thing to note; for administrative purposes, when a user is
>> > set
>> > up on a machine, they are set up as machine administrators for
>> > administrative
>> > reasons, ie, so administrators can remote in using a users logon to
>> > make
>> > updates and repairs. In this senario, is it possible to push the sw out
>> > to
>> > only a specifically desired profile? Most of our workstations have
>> > multiple
>> > profiles, so this is an issue.
>> >
>> > Thanks very much for your thoughts!
>> > Gene
>>
>>
>>


.

Relevant Pages

  • Re: Hey MS what about issues with KB840374?
    ... Ok removing both those polices allowed the updates to install. ... Ownership of files or other objects" and "Manage auditing and security ... have 300 machines that this happens to, you got one busy domain admin. ... > objects" for administrators everything works fine. ...
    (microsoft.public.windowsupdate)
  • RE: locked out of XP, need file access
    ... The example of the car thief was taken out of proportion by some--Yes ... forgotten the admin password to both my w2k machines at home. ... i think it's more up to the local administrators to try to keep a close eye ...
    (Security-Basics)
  • Re: Exceptional Error - Custom Menus deleted at startup of Access
    ... machines with SIMILAR ... And more precisely I sould say that I have "Microsoft Office 2000 ... * "If updates would be making this kind of problems then why other machines ... > implied that installing the updates would break things. ...
    (microsoft.public.access.formscoding)
  • Re: Is a Windows 98se computer more, or less, of a security threat with IE 5.5 (unused) & Firefo
    ... from drive-by attacks its a closer ... hardware solution where the updates get applied rather than our local ... So far i've been able to keep most of the old machines running myself. ... do this just because of a security risk alone is difficult. ...
    (microsoft.public.windowsupdate)
  • Re: Comparing update systems
    ... It checks for updates at the repositories, ... I understand what a network is. ... are not to many machines, you can do it during instalation. ...
    (alt.os.linux.suse)