Deploying Office to a Security Group in an OU not working as expected.

  • Thread starter Thread starter fygar
  • Start date Start date
F

fygar

I want to manage some software via GP but I can't quite work out one
glitch that I am having.

I have created an OU with my GP properly set up to assign the s/w to a
computer. Inside the OU I created a security group and put my computer
in it but the s/w will not install with this setup even after the
required two (or more) reboots.

If I remove the computer from the security group and move it directly
into the OU, the s/w will install.

Here's the part that bakes my noodle....

If after allowing the s/w to install, I move the computer back to the
OU folder and then add it to the security group, it will stay. If I
then remove the computer from the security group it will uninstall
itself!

It seems like the computer must physically reside inside the OU that
policy is attached to. Does anyone have a suggestion as to what could
be causing this?

Thanks

Butch Adams
 
Fygar,

You do not deploy software via GPO to security groups - no matter where they
are located. You deploy software ( does not matter - to the computer- or to
the user-side ) to Organizational Units. The user or computer account
objects to which you are attempting to deploy the software *MUST* reside in
that OU for it to even be possible.

There are a couple of things that you need to consider:

1) the software distribution point: it needs to be shared. You also need to
make sure that the objects in question ( either the users or the computers )
have both share and ntfs permissions to that folder. Typically you can play
with EVERYONE @ F/C for both the share and ntfs permissions but I would not
suggest that in a production environment. Consider using 'domain users'
and/or 'domain computers' with at least read permissions

2) when telling the GPO where to find the appropriate .msi file you need to
use the UNC path ( \\servername\sharename\file.msi ) and not a mapped
network drive. It does not seem like you have done this.

3) You can deploy software via two ways: assign and publish. You can only
assign software distributions to computer account objects but you can both
assign and publish to user account objects.

4) on the GPO itself you need to make sure that the appropriate security
group has both the READ and APPLY GROUP POLICY rights. Okay, I know that in
my first sentence I stated that you do not apply GPOs to security groups.
We are not! However, you can use security groups to filter which user
account objects or computer account objects get the GPO. By default the
'Authenticated Users' is given those two above mentioned rights. This
security group contains all user account objects and all computer account
objects that are located in the OU to which this GPO is linked. We can
remove the 'Authenticated Users' security group and replace it with one that
we have created. An example: let's say that you create an OU called
EMPLOYEES and you move all of your user account objects from the default
USERS container to the EMPLOYEES OU. Let's say that the people in the
Accounting Department need to have QuickBooks. You could create another OU
called ACCOUNTING and move all of the correct user account objects into that
OU and then use GPO to deploy QuickBooks to that OU -OR- you could create a
GPO, link it to the EMPLOYEES OU, remove the 'Authenticated Users' security
group and replace it with the 'Accounting' security group that contains all
of the user account objects that need to have this software installed.

Does this make sense to you?

HTH,

Cary
 
Yep it makes a lot of sense, thanks for taking the time to put all
that together.

I almost got there since I posted, but your response has helped me
finish it up.

The Office products we use here have been bought piecemeal over the
years so we have some users with Office Pro, Office Standard, some
have just Word and Outlook, etc. So I really haven't tried to use GP
to deploy software before now, and I can't just slap a package on a
department OU because it doesn't apply to all the users in there.

The work around I am dressing out is to create a new OU tree that does
nothing more than hold and organize new security groups based on the
different software packages I want to build. In these I place the
computers and users that will receive the packages. At the top of the
OU tree that holds the actual users and computers, I attached a GPO
that corresponds to the software package to deploy and use the
security tab to assign READ and APPLY GROUP POLICY to the security
group for that policy and removed the Authenticated Users group. It's
looking good on the test bench so far.

Thanks again for the help, You pulled together several KB articles
into one helpful digest.

Butch
 
Glad to be of assistance.

Sometimes it can be fun cleaning up after months / years of 'piecemeal'
activity.

Cary
 
Back
Top