Re: Group Policy Software Installation

Tech-Archive recommends: Speed Up your PC by fixing your registry

Net Admin,

No problem. Usually, we all know what you mean when you word it the way you
did. But, we have to question it to be sure. There are a lot of things
involved and something like this can be a show stopper.

If you created a security group and then made the computers in question a
member of that security group and then added this security group to the
Share and Security tab it *should* have the same affect as adding the Domain
Computers. Normally I would use the Domain Computers group. It is already
there. The only time that I would create a special security group would be
when I am going to use security group filtering. That is a little bit more
advanced, though. Let's get the basics working and build from that.

And, one thing that a lot of people do is they take care of the Share "tab"
permissions but forget about the Security "tab" permissions. I have seen
this numerous times.

Please keep us posted as to your progress. If you have any more questions
please feel free to ask! That is why we are here!

--
Cary W. Shultz
Roanoke, VA 24012

"Net Admin" <NetAdmin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:07BFE63C-12B4-43F4-8AEA-D92BF7E91C31@xxxxxxxxxxxxxxxx
I'm sorry, when I said I added the computers OU to the ACLs of the share I
meant I have created a security group with the target computers as members
and added that group to the ACLs of the share. I will try today while at
work
from scratch by adding Domain Computers to the permissions and see what
happens......
"Cary Shultz" wrote:

Net Admin,

I am not sure that I understand what you mean with your first sentence.
You
simply go to the shared folder, right click and select either properties
or
sharing and security and then go to the sharing tab. Simply add "Domain
Computers". Then, check on the appropriate check boxes (read). Then, go
to
the Security tab. Simply add "Domain Computers". Then check the
appropriate check boxed (read and execute,list,read). Naturally, this is
after you have removed the Everyone @ F/C on the Sharing tab and added
Domain Admin @ F/C and did the same thing on the Security tab.

I would suggest that you apply this to the computer side of things.

--
Cary W. Shultz
Roanoke, VA 24012

"Net Admin" <NetAdmin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B19FC817-EEC1-4640-84A4-0DFF0C33794F@xxxxxxxxxxxxxxxx
Ok I will add the OU that the computers reside in to the NTFS ACLs. The
GPO
was created on the computers OU. I am not using GPMC, I like the
default
way
to use Group Policy, should I be using GPMC? Good idea on the hidden
share
part, thanks.
The app is a Citrix ICA client, version 8.
If I instead applied the GPO to an OU for certain users would that be
better?
If I assigned the app to install at login then each time they login
would
it
install or does it recognize that it is already done? How about the
users
that use certain servers through Terminal Services, will the app try to
install on the servers every time they login? It will take
approximately 2
days then I can remove the GPO because everyone will have logged in by
then.
Hey thanks a lot for your quick response!



"Cary Shultz" wrote:

I see the problem immediately. If it is set for the computer side of
things
then the computer account objects need to have some sort of access to
the
shared folder (read: Share and NTFS). I might suggest that you remove
the
EVERYBODY / Full Control share permissions and make it something like
Domain
Admins F/C and Domain Computers read and execute/list/read. Then, do
the
same thing for the NTFS permissions. And, since you probably do not
want
the normal users to be able to see this shared folder I might suggest
that
when you share the folder you append a dollar sign ($) at the end of
the
shared name. This will make it invisible (well, sorta).

Reboot the computers and away you go. Be aware that if the computers
are
Windows XP that it might take a couple of reboots (Logon
Optimization).

Also, be aware that you can not publish applications that are set for
the
computer side. You can only assign them. Depending on what the
application
is you might want to consider Advanced Assign. You will need this if
you
are making use of an .mst file (Transforms file).

Additionally, is the GPO linked to the OU in which the computer
account
objects physically reside?

Just out of curiosity, what is the application?

Are you using GPMC?

--
Cary W. Shultz
Roanoke, VA 24012

"Net Admin" <NetAdmin@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:15F453D5-FFEA-48B9-ABDD-90A951250C1D@xxxxxxxxxxxxxxxx
I am trying to deploy an app via group policy. It has an msi
extension
and
I
have set the policy under computer configuration, software settings.
It
doesn't seem to want to take. When loggin in, nothing has changed or
attempts
to change. The .msi is located on a share with Everyone-full control
share
permissions and domain users have read and execute, list, and read
NTFS
permissions.
If I run the .msi normally I get the file security warning asking
if I
want
to run the file because the publisher could not be verified. It is a
trustworthy program that we have been using for a year now. Could
that
be
why
it won't take?
Is the .msi all I need? I was going to repackage the .exe of the
same
program but it started to get a little complicated that's why I
downloaded
the .msi. I do get an event warning in eventviewer but I have to go
to
work
to get it for you. Do you need the id? It's an application event
warning
about software installation but it says nothing was halted. I hope
this
is
enough info,thanks!








.

Relevant Pages

  • Re: Applying to Multiple Computers
    ... I don't have a SBS server here to check, but if my memory serves me correct ... under the domain for computers - then OUs for the various groups (typically ... filtering except when there's no other option. ... I have now tried creating a Security Group in both the "SBS Computers" and ...
    (microsoft.public.windows.group_policy)
  • Re: under a domain, how do i give users full control of their work
    ... the OU where your computers are stored in AD Users and Computers and ... Settings - Security Settings - Restricted Groups and you can add that ... Security Group you create that holds all the user accounts to the ... do whatever they want on their on local machines? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Group Policy Software Installation
    ... out it was a real pain in the arse with logon scripts. ... the share and NTFS permissions to allow Domain Computers Read and Execute. ... member of that security group and then added this security group to the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Group Policy Software Installation
    ... the share and NTFS permissions to allow Domain Computers Read and Execute. ... member of that security group and then added this security group to the ...
    (microsoft.public.windows.server.active_directory)
  • Re: SOM and OUs
    ... require policies that are the same, which says "one GPO" to me ... ... a Lab Computer Security group to which all Lab ... computers would belong. ...
    (microsoft.public.windows.group_policy)