Re: GPO does not effect Group added to list

Well it is more overhead and easier for someone else to understand... BUT...
if they have to have multiple packages, you have to create so many OU's that
it becomes ridiculously cumbersome to manage... say 6 different software
packages in a possible 10 different configs... leads to about 60 or so
OU's...

"Darren Mar-Elia" wrote:

Well, I tend to agree. The alternative is that you create a single GPO for
each package combination and security group filter that accordingly. I'm not
sure which is more overhead. I think that this approach (1 GPO for each
combination) is probably a little more explicit than the one I mentioned
before, and easier to see for someone other than you.

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Training Videos, Whitepapers and Utilities for all things Group
Policy-related

Speed Group Policy Troubleshooting with the NEW GPHealth Reporter tool at
http://www.sdmsoftware.com/products.php


"Ken Montgomery" <KenMontgomery@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:38EB625E-9764-4C26-8FBA-9E4ECE9FE3F5@xxxxxxxxxxxxxxxx
Ok, well that works but it is really backwards thinking on Microsoft's
part.
It seems as if you get the 'hey you should have this software' part of the
policy but then 'oh yeah, you aren't allowed to install it' as an
afterthought...

But it does seem to work... but talk about confusing for me to try to
explain to non AD_Admins for group memberships...

"Darren Mar-Elia" wrote:

It is the Security tab on the individual package, which sets the ACLs on
that package. A Read ACE on a package grants that security principal the
ability to read, and thus install, the package.

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Training Videos, Whitepapers and Utilities for all things Group
Policy-related

Speed Group Policy Troubleshooting with the NEW GPHealth Reporter tool at
http://www.sdmsoftware.com/products.php


"Ken Montgomery" <KenMontgomery@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:1EE7FCAA-DFCA-4F6D-9CFF-4405F537AD72@xxxxxxxxxxxxxxxx
Well it does, but I'm confused on where the setting is to block the
specific
package, can you explain it a little better, I think I get it but
haven't
gotten to look yet... is it inside the package settings?

"Darren Mar-Elia" wrote:

Ken-
Basically correct. But, hopefully I can simplify it a bit. Let's say
you
have computer accounts spread across 10 OUs in your domain. And you
want
to
deliver the same set of software in different combinations to each of
those
computers based on their need. You create the groups that define those
combinations you mention below. Then, you link the GPO containing all
of
the
relevant packages to the domain level (or a parent OU level above the
computer OUs if you have that), and keep the default security
permissions
as-is (i.e. Authenticated Users with Apply Group Policy rights). Then,
within the GPO, Software Installation has a unique ability to let you
permission individual packages for processing. So, on the security tab
for a
given package, you would remove the Authenticated Users Read ACE and
then
replace it with the computer group that is entitled to receive that
application. That gets around having to have a different GPO for each
package combination that you want to deliver.

Let me know if that doesn't make sense.

Darren


--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Training Videos, Whitepapers and Utilities for all things Group
Policy-related

Speed Group Policy Troubleshooting with the NEW GPHealth Reporter tool
at
http://www.sdmsoftware.com/products.php


"Ken Montgomery" <KenMontgomery@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:63BB3EAF-CC54-4544-B936-54C2E76F09AC@xxxxxxxxxxxxxxxx
Thanks for the Reply Darren... let me ask you a different question
then.
If
that be the case, since we have a number of different 'scenarios'
and
it
would be easier to just include the PC in the correct scenarios by
group
membership... it appears the only way to make it work is to have
even
more
scenarios...

For example, the following OU's would have to be created...

Microsoft Office
Microsoft Office with Education Software
Microsoft Office with Application A
Microsoft Office with Education Software and Application A
Education Software with Application A...

etc.

Versus just putting the group into the OU for each, then ensuring
the
PC's
are in the correct groups...

But if I understand your post, I would have to do that in reverse,
basically
push the software to all PC's but use Groups to exclude some pc's
that
don't
need each Product... correct?

"Darren Mar-Elia" wrote:

GPOs are only processed by computer and user accounts--not groups.
Groups
are simply used to filter the effects on a given user or computer.
So,
you
always need the computer or user to be held in an OU that the
desired
GPO
is
linked to (or one of its children).

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy
http://www.gpoguy.com -- The Windows Group Policy Information Hub:
FAQs, Training Videos, Whitepapers and Utilities for all things
Group
Policy-related

Speed Group Policy Troubleshooting with the NEW GPHealth Reporter
tool
at
http://www.sdmsoftware.com/products.php


"Ken Montgomery" <KenMontgomery@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:128AD279-35DB-4B2F-8E8E-040F77C0A31E@xxxxxxxxxxxxxxxx
Hi Everyone,

I have been working on some software installation policies for my
users
as
we upgrade some products, the installations work fine when the
Computer
is
moved to the GPO but when the Group the computers belong to are
moved
there,
no go. Even with the Apply Group Policy checked in the ACE I
still
get
no
action on the installation, but if I move the Computer account to
the
GPO
it
works fine...

Help?






.

Relevant Pages

  • Re: Office 2007 Professional Plus - Group policy - Error
    ... This the link for the information that led me to believe GPO was a good ... requiring the enterprise license in order to use GPO. ... For the 2007 Office system a basic oNIP (Office network Installation Point) is a CD image. ... I am attempting to setup my Group policy installation package for my Office ...
    (microsoft.public.office.setup)
  • RE: Office 2007 Professional Plus Deployemtn testing problems
    ... I had the problem with extracting deployment information when I was testing ... Once corrected the package allocated ok in the GPO. ... For this installation I just copied the media to a network location. ...
    (microsoft.public.office.setup)
  • RE: Install new font file
    ... The most important thing in this case is the package for the font. ... manufacturer can provide a MSI package and it supports silent installation, ... we can deploy the font by using Group Policy - Computer ... You can also apply startup script to realize this if the font can be ...
    (microsoft.public.win2000.active_directory)
  • Re: MSP files and GPO
    ... "This patch package could not be opened. ... The new Windows Group Policy Guide from Microsoft Press!!! ... >> I was hoping to deploy it using the Software Installation section of Group ... >>> Do not restart after the installation is complete ...
    (microsoft.public.windows.group_policy)
  • Re: Computer Cant Access Installation Source For Assigned Package
    ... Looks like my problem was because I added the packages to the group policy ... > I'm having a problem getting an assigned package to install at computer ... > "Failed to apply changes to software installation settings. ... > access to the share and files in the administrative installation point. ...
    (microsoft.public.win2000.security)
Loading