Group Policies

[Guest]

I am new to using group policies, so I guess some of my questions may seem,
or may actually be dumb, but I don't know what else to do. I have a Win2K
server with about 25 or 30 workstations...all XP Pro and I am trying to set
up Software Installation for Office 2003 Pro. Just as a test, I have set up
a workstation with Office not on it. As far as the Group Policy setup, I
have an OU with a group policy defined in it with the software installation
linked to a folder on my server that contains the PRO11.msi file. This
folder is shared with Everyone having Full Control. In addition, I have a
security group that contains the comuter that I am testing this with. The
group policy (through Properties, Security tab) is linked to this security
group. At present, the workstation, when i run GPRESULT, does not show
having the group policy liinked to it, nor does it show belonging to the
security group. I have run the gpupdate /force command and have restarted
the workstation 3 or 4 times. Can someone please tell me what I am not
doing??

 

[Florian Frommherz]

Howdy Dennis!

I am new to using group policies, so I guess some of my questions may seem,
or may actually be dumb, but I don't know what else to do. I have a Win2K

We all started small. There are no dumb questions

group policy (through Properties, Security tab) is linked to this security
group. At present, the workstation, when i run GPRESULT, does not show
having the group policy liinked to it, nor does it show belonging to the
security group. I have run the gpupdate /force command and have restarted
the workstation 3 or 4 times. Can someone please tell me what I am not
doing??

You are linking the GPO to a security group? This might be your fault.
The name "group policy" is a little confusing as GPs can only be
assigned to computers and users that reside in OUs. For short: you put
your users and computers into OUs and link your GPs to these OUs. GPs do
not apply to (security) groups.

cheers,

Florian

 

[Guest]

I was doing this because I had read an article where someone had done this
because he had a policy that would pertain to computers that were located in
different OUs. The way he solved it was to create a security group with the
computeers in it and 'link' the policy to the group through the Security tab
when you click on the Properties button for the gp. Why would this not work?

 

[Florian Frommherz]

Howdy Dennis!

I was doing this because I had read an article where someone had done this
because he had a policy that would pertain to computers that were located in
different OUs. The way he solved it was to create a security group with the
computeers in it and 'link' the policy to the group through the Security tab
when you click on the Properties button for the gp. Why would this not work?

Ah I see. In this case, you would link the GP to a OU located at a
higher level than the sub-OUs with your computers. You would then go to
the security tab of the GP and remove all other groups but the security
group and grant them "apply ..." rights. That would work.

cheers,

Florian

 

[Guest]

Evidently, it wasn't, because one of the workstations I had in this test OU
would never show as being in the security group, that is, on the workstation
in question, I would go to a command prompt and enter gpupdate /force, then
gpresult. It would never show as being in the security group or in the gp.

 

[Guest]

Since last time you e-mailed me, I decided to try making it simple...I have
in my OU just my computer account. I have in the Computer Configuration, the
Software Installation for Office 2003. In the Security tab, Authenticated
Users is the only group that has 'Apply Group Policy' checked. As far as the
share on the folder containing the PRO11.msi is concerned, I have Everyone
having Full Contol on the Share tab and Administrators and Domain Users in
the Security tab. Should I have Everyone in the Share tab or do I have to
define each computer account individually? I ask this because after I apply
the gp and do a restart, it acts like it wants to install the software, but
in the Event Viewer it says that the file or program was either unvailable or
could not be assessed, which I do not understand.

 

[Richard Oltmann]

Change domain users to authenticated users in the security tab a computer is
a member of the authenticated users group

 

[Guest]

Have you ever received an error with event id 108. The descripton is: The
group policy framework should call the extension in the synchronous
foreground policy refresh.

 

[Florian Frommherz]

Howdy Dennis!

Huh, everything gets a little confusing around here... ;-)

share on the folder containing the PRO11.msi is concerned, I have Everyone
having Full Contol on the Share tab and Administrators and Domain Users in
the Security tab. Should I have Everyone in the Share tab or do I have to
define each computer account individually? I ask this because after I apply

You need the "Authenticated Users" in both the NTFS _and_ the share
permissions, since the computers also belong to "Authenticated Users".
Everyone with "Full control" would do it for _testing purposes_ as well.

Have you ever received an error with event id 108. The descripton is:
group policy framework should call the extension in the synchronous
foreground policy refresh.

I haven't had this error message yet but it indicates, that the software
installations can only be done by foreground GP refreshes (= reboots of
the computer). This is afaik not an error but a message to you, that
your software package will install during the next boot of the machine.

cheers,

Florian