Applying GPO only to certain computers within an OU...........

[Momo]

We are in the process of deploying some software via GPO to computers
within an OU. The problem is we don't want to apply the software to all
machines within the OU.

So far what we've successfully done is create a Group and add computers
which we don't want the policy to apply. And then in the GPO secuiryt
properties deny them group from reading and applying the policy. This
has successfully worked.

But what we would rather is reverse and have computers which we wnat to
apply the policy in the group. What we tried is by default deny the
"Authenticated Users" group from applying the policy giving them read
on. Then for the group give them read and apply. But this hasn't worked
successfully........

Has anyone tried something like this or have any suggestions....please

 

[Ken B]

Don't forget that deny permissions take precedence over allows.

I think if you remove the authenticated users grou0p from the acl, and just
add in the security group "Yes Software" or whatever (the computers that are
supposed to get the policy) and give them Read & Apply GPO permissions. I'm
not sure if you'll run into trouble with a software package installation
needing 'authenticated users' to read your source info.

hth

Ken

 

[Bruce Sanderson]

Perhaps there is some complication in your situation that I don't know
about, but here's my suggestion.

I suggest avoiding the complexity of attempting to manage the application of
GPOs via security and groups. Create a new OU as a child of the existing
OU, apply the Software distribution policy to that sub-OU and move the
computers you want to have that GPO applied to into the new sub-OU. Any
GPOs applied to the parent OU will be inherited by the new sub-OU, so the
moved computers will still get those GPOs applied to them.

One of the big features of Active Directory is the flexibililty to move
things around and change the OU hierarchy easily; take advantage of that to
avoid the need to use more complex features such as security filtering.

 

[lforbes]

Perhaps there is some complication in your situation that I
don't know
about, but here's my suggestion.

I suggest avoiding the complexity of attempting to manage the
application of
GPOs via security and groups. Create a new OU as a child of
the existing
OU, apply the Software distribution policy to that sub-OU and
move the
computers you want to have that GPO applied to into the new
sub-OU. Any
GPOs applied to the parent OU will be inherited by the new
sub-OU, so the
moved computers will still get those GPOs applied to them.

One of the big features of Active Directory is the
flexibililty to move
things around and change the OU hierarchy easily; take
advantage of that to
avoid the need to use more complex features such as security
filtering.

--
Bruce Sanderson MVP

It's perfectly useless to know the right answer to the wrong
question.

Hi,

I agree with Bruce. Don’t mess with the default security settings. If
you setup to deny then they aren’t getting ANY of the policy.

Just create a child OU and move the machines into that and then move
them back again when the install is done. I have thousands of machines
and manage their software installs this way all the time.

Cheers,

Lara