Assigning Software to a Specific Group by Using a Group Policy doesn't work

[Jason]

Hi,

I have followed Microsoft's article How to Assign Software to a Specific
Group by Using a Group Policy Q302430
(http://support.microsoft.com/default.aspx?scid=kb;en-us;302430) and it
doesn't work.

What I'm trying to do is create an OU that has a GPO linked to it without
having the machine be a member of that GPO. I would then use group
membership to apply the software installation policies to the appropriate
machines. According to Microsoft's article this should be possible. If I
move the machine into this OU everything works fine, but I'm trying to work
around the issue of not being able to have a machine belong to more than one
OU at a time. When the client isn't in the OU it never gets the policy
(gpresult.exe). Obviously something is missing from the article. I've seen
other people in the various groups having difficulties with this exact same
article.

Does anyone have any ideas?

TIA,
Jason

 

[Rick Kingslan [MS MVP]]

When using this procedure, the group membership that is being used is a
group that is made up of machines, correct? Groups can contain machines -
not just users. And, the procedure does work - the machine must be rebooted
for it to work because the policy that you are applying is a software policy
at the machine level - not the user.

If you follow the steps and substitute 'Machine' for 'User' or 'client', it
should work properly. I have it working in my enterprise with no problems
at all.

 

[Jason]

Rick,

Thanks for verifying that the procedure does in fact work. Yes I have
assigned machines to the group and not user accounts. The following is what
I have done.

- Created a new ou called software.
- Created a new group called Win2k_SP4 in the software ou and added a laptop
machine account to the group. This group is the only thing in the software
ou.
- I then created a new GPO linked to the software ou called Software
Installations and disabled the user configuration part of the GPO.
- In the computer configuration, I added a new software installation for
Win2k SP4 and changed the security settings to the following to filter out
just machines in the Win2k_SP4 group.
Creator owner = rw
Domain Admins = fc
Enterprise Admins = rw
System = fc
Win2k_SP4 = r

- I then changed the security settings on the GPO to the following to allow
all domain computers to have the GPO applied to them.
Domain Computers = r apply group policy
Authenticated Users = r apply group policy
Creator owner =
Domain Admins = rw create/delete child objects
Enterprise Admins = rw create/delete child objects
System = rw create/delete child objects

- I then forced a replication of the domain using ADSS
- Ran secedit /refreshpolicy machine_policy on the laptop and then rebooted.
- Nothing happened on the reboot, I ran gpresult and it didn't see the
Software Installation GPO, but it did show the Win2k_SP4 group membership.

Microsoft's article "Group Policy Objects Applied to Organizational Units
Containing Only Groups Are Not Applied to Members of Those Groups" (Q220822)
states the following:

Group Policy Objects (GPOs) are applied only to the users or computers that
are members of the Organizational Unit (OU) to which the GPO is linked.
Groups that are placed in the OU have no effect during the processing of a
group policy.

There are alternative mechanisms that you can use to filter GPOs on the
basis of security group membership:
a.. Filter by using an access control entry (ACE) placed directly on the
GPO named Apply Group Policy.
b.. Group policy filtering can be accomplished only by using membership in
Security groups. Distribution groups, such as Universal groups, cannot be
used to filter the application of group policies.
c.. Access control entries can be applied to the group policy from the
Security tab of its Properties dialog box.
If I put the GPO in the domain group policy or put the laptop in the
software ou, the laptop does process the GPO and shows up in gpresult.

I will delete everything an start over again. Any comments or ideas on how
you got this to work would be very much appreciated. I'm confused as to why
the two Microsoft articles say exactly the opposite thing. As far as I
knew, a GPO was only processed by machines or users that are members of the
ou that has the GPO linked to it.

Thanks,
Jason

 

[Jason]

Rick,

I have recreated the entire thing step by step from article Q302430. The
laptop still does not show the GPO settings from the software installations
GPO in gpresult.

When I move the laptop from computers to the ou, the GPO is applied.

 

[Vivien Wu [MSFT]]

Hello Jason,

We cannot apply a GPO directly to a security group. Regarding this issue, I
would like to share the following information with you.

1. In article 302430, you can see the following statement: You can apply
group policies to domains, sites, and OUs.

2. If we apply policies to an OU that contains only a global group, the
group policies will not be applied to the members of the group since GPOs
are applied only to the users and computers that are members of the
organizational unit.

The detailed information about this problem can be found in the white paper
for Windows 2000 Group Policy below.

http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppol
wp.asp

If anything is unclear, feel free to let us know. Thanks.


Sincerely,

Vivien Wu
MCSA, MCSE2000 and MCDBA2000
Microsoft Partner Online Support


Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please Reply to Group via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided AS IS with no warranties, and confers no rights.

 

[Jason]

Vivien,

I've always thought that the policy would only be applied to users or
computer that reside within the OU. Unfortunately article 302430 made me
think otherwise because of the wording in the summary paragraph.

From article 302430...
You can use group policies to assign or publish software to users or
computers in a domain, and it is useful to be able to deploy software based
on group membership. Group Policy Objects (GPOs) are normally applied only
to members of organizational units (OUs)to which the GPO is linked. Because
users cannot be located in several OUs at one time, it is necessary to be
able to apply group policies outside of the boundaries of OUs. This article
describes how to have your software deployment policy applied to users who
are not in a respective OU.

The following line makes people think that you can deploy software to
different OU's without being a member of the OU.
"This article describes how to have your software deployment policy applied
to users who are not in a respective OU."

Your statement below from the article says you can apply group policies to
domains, site and OUs, but it doesn't state any where in the article that
you need to have a computer or user in that OU. The article states that you
can apply group policy to users that aren't members of the OU. Also, Rick
the other person who replied to my original message states that he has this
working.

1. In article 302430, you can see the following statement: You can apply
group policies to domains, sites, and OUs.

I'm confused...

Thanks,
Jason

 

[Vivien Wu [MSFT]]

Hello Jason,

I would like to explain the issue.

1. We cannot apply a GPO directly to a security group.

2. When we assign group policy to Domain, Site or OU, by default, all the
computers or users in the corresponding contains will apply the policy. By
using the article 302430, we can set which security group can apply the
policy.

For example, if you have multiple computers, which belong to more than one
OU but they are in the same Site, you can follow the steps below to assign
group policy to them.

1. Create a group for the multiple computers

2. Apply the group policy to Site

3. Change the security settings for the group policy to make sure that only
the needed group can apply the policy

You can also assign group policy to domain and then set the Security
settings for it.

If you have any concerns, please let me know. Thanks.

Sincerely,

Vivien Wu
MCSA, MCSE2000 and MCDBA2000
Microsoft Partner Online Support


Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please Reply to Group via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided AS IS with no warranties, and confers no rights.

 

[Cary Shultz]

-----Original Message-----
Hello Jason,

I would like to explain the issue.

1. We cannot apply a GPO directly to a security group.

2. When we assign group policy to Domain, Site or OU, by default, all the
computers or users in the corresponding contains will apply the policy. By
using the article 302430, we can set which security group can apply the
policy.

For example, if you have multiple computers, which belong to more than one
OU but they are in the same Site, you can follow the steps below to assign
group policy to them.

1. Create a group for the multiple computers

2. Apply the group policy to Site

3. Change the security settings for the group policy to make sure that only
the needed group can apply the policy

You can also assign group policy to domain and then set the Security
settings for it.

If you have any concerns, please let me know. Thanks.

Sincerely,

Vivien Wu
MCSA, MCSE2000 and MCDBA2000
Microsoft Partner Online Support


Get Secure! - www.microsoft.com/security

====================================================
When responding to posts, please Reply to Group via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided AS IS with no warranties, and confers no rights.

.

Jason,

I think that you might be getting confused by the use of
Groups. I will say this upfront: I have not looked at the
Article that you ( plural ) have mentioned.

When you create a GPO to be applied to either the User or
Computer side of things ( it really does not matter as far
as permissions are concerned in this case ) take a look at
the security tab ( which I am sure that you have ). You
will notice that "Authenticated Users" has the read and
apply group policy permissions. There are naturally
others in the group ( like Owner/Creator and Enterprise
Admins blah blah blah ) but this is the one in question (
as I see it ). By keeping this "Authenticated Users"
group in there this GPO would apply to all the users in
that Domain/Site/OU...

What I normally do is to first and foremost create a
security group ( call it XXXXXX ) and put all of the
users - or computers for that matter - to which I would
like this particular GPO applied in that group. I then
simply create the GPO and immediately remove
that "default" Authenticated Users and replace it with
XXXXXX and give that group the same permissions ( namely,
read and apply group policy ).

See, you can apply the GPO at the Site Level ( if that
makes sense for your situation ) and not have to worry
about in which OU users or computers are located. It does
not matter. Only those users - or computers - in the
XXXXXX security group will be able to "see" the GPO, which
will be applied to the members of the XXXXXX security
group ( due to the permissions ). You could do the same
at the domain level...Whatever works better for your
situation.

See, I could have a domain with one site ( in Sites and
Services ) and 100,000 users. I could create a GPO ( user
configuartion ) at the domain level. I could create a
Security Group, put ONLY myself in that security group,
remove the Authenticated Users from the security tab of
that particular GPO and add that security group that I
just created and apply permissions to it. Now, I am the
only one affected by this GPO - eventhough it was created
at the Domain level.

HTH,

Cary

 

[Jason]

Vivien,

Thank you for trying to clarify this. What you are telling me is exactly
what I thought all along. The problem is with article 302430. It makes you
believe there is another way of doing things. I will explain below the
statement from the summary that confuses me.

"Group Policy Objects (GPOs) are normally applied only to members of
organizational units (OUs)to which the GPO is linked."
*** By saying NORMALLY I get the impression that there is another way.

Why didn't the article just come out and plainly say that you must apply the
GPO to a site or domain? Step number 3 says to click the container you want
to link the GPO to. This should say click the domain or site you want to
link the GPO to. This is misleading and lets you assume you can link to a
OU as well. I kept thinking to myself, how is this the machine ever going
to get the GPO applied, but unfortunately I trusted the article and wasted a
lot of time for nothing. Personally I think the article should be rewritten
to make things a lot more clear so that others don't waste time as well.

Thanks for you advice,
Jason

 

[Jason]

Cary,

Thanks for your input! I completely understand how the GPO's work. The
problem is with the wording of the MS article. It led me to believe there
was some other way of doing things on a per OU basis. I have it working at
a domain level at the moment, but was wanting to play a bit. The reason I
wanted to do this is because I have software for our developers (msdn
licenses) and regular volume license software. I wanted to use two
different GPO's on two different OU's that contain separate security groups
for each software package.

I guess what I'm going to have to do now is create two different GPO's at
the site or domain level, one for each set of software so I can keep them
separated. Then create two sets of security groups. I don't want to put
them both in the same GPO because it will be difficult to tell which
software installation is for which set of software.

Oh well... it was worth a try... I will conform.

Thanks again!
Jason