GPO to push out 2 different version of office.

S

scott

Right now I have windows 2003 server with windows xp Clients.
I have one OU called "managed computers" And I'm pushing out
Word xp, Excel XP, Outlook 2003, Acrobat reader, and citrix client.
The GPO is assoiceated to the OU "managed coputers" and there is no
filtering.
All computers in that out Gets all the apps.
--
Now I need to push out All of office 2003 to a subset of the computers
in the "managed copmuters" OU.
I understand GPO priority but How does that work if one GPO says
install office xp and another says install office 2003?
I think I'm going to try this.
Under the one GPO I have add Software install for office 2003 and
under that software object limit it to a new security group "office
2003" and add coputers I want office 2003 in that group.
But I have a few questions, In that same GPO I have an install of
office xp (word and excel) that there is no security on (all
authenticated users/copmuters). Will this cause a problem? Do I need
to make another goup called office xp and add all the other computers
to that group?

thanks

Scott
 
H

Herb Martin

scott said:
Right now I have windows 2003 server with windows xp Clients.
I have one OU called "managed computers" And I'm pushing out
Word xp, Excel XP, Outlook 2003, Acrobat reader, and citrix client.
The GPO is assoiceated to the OU "managed coputers" and there is no
filtering.
All computers in that out Gets all the apps.
--
Now I need to push out All of office 2003 to a subset of the computers
in the "managed copmuters" OU.
I understand GPO priority but How does that work if one GPO says
install office xp and another says install office 2003?
Click to expand...

Not as well as you might wish -- it could actually end up first
doing one and then upgrading it to the other.
I think I'm going to try this.
Under the one GPO I have add Software install for office 2003 and
under that software object limit it to a new security group "office
2003" and add coputers I want office 2003 in that group.
Click to expand...

This may be one of those uncommon reasons for preferring filtering.

You could also split the OU to two child OUs and differentiate that
way.

But I have a few questions, In that same GPO I have an install of
office xp (word and excel) that there is no security on (all
authenticated users/copmuters). Will this cause a problem? Do I need
to make another goup called office xp and add all the other computers
to that group?
Click to expand...

If I understand you proposition correctly, then yes, you need to two
groups and to filter on each of them for the correct GPO.

Is there some natural distinction between these machines? Say,
WinXP versus Win2000?

Were that the case, and you were using Win2003 DCs you could
filter using WMI for the OS -- and it would automatically update
the machines if they were ever updated to XP. The group method
requires that you remember to move them from one group to the
other (OU method also.)
 
S

scott

Ok So I have one GPO with 2 software deployments office 2003 and
officexp.
Under each deployment there is security Tab, What rights do I have to
take away from authenticated uses so it does not deploy?
Or is it better to make more than one GPO?

scott
 
H

Herb Martin

scott said:
Ok So I have one GPO with 2 software deployments office 2003 and
officexp.
Under each deployment there is security Tab, What rights do I have to
take away from authenticated uses so it does not deploy?
Or is it better to make more than one GPO?
Click to expand...

Normally one removes (or never gives) the right to "Apply Policy"
but both that and READ are required for the policy to apply.

If you are using DENY then you probably should just use
DENY_APPLY_POLICY so that it won't accidently affect
the ability of someone like an Admin (in the group) to READ
the policy.
 
S

scott

if you look under the security under the software deployment there is
not a "apply policy" right.
I'm trying to do this all with one GPO, if it is possible.

scott
 
H

Herb Martin

if you look under the security under the software deployment there is
not a "apply policy" right.
I'm trying to do this all with one GPO, if it is possible.
Click to expand...

Sorry, I didn't realize you had misunderstood the security
of Group Policies: You must filter the ENTIRE policy,
not just the Software Package.

Usually one creates a separate policy for this purpose;
one that does only the Software packages (or other settings
specific to that class/group of machines.)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

how to upgrade office 2000 to Office 2003 using GPO 3
GPO not applying to user when only TS server is in Locked down OU. 3
GPO for individual users? 8
Don't want to apply a GPO to certain group members 2
GPO question: how to properly assign to computer objects 3
GPO IE Zone Mapping issue on TS 2
gpo filtering 1
GPO Software installation fails 2

Top