Group policy and deploying apps

[Dennis]

Hi,

I have the following situation:

I have a Windows Server 2003 system and an XP Pro workstation.
In the Active directory I have created a structure of several OUs
for software deploying. I have 2 packages (Office XP and Office 2003)
and they need to be deployed to several client pc's.
In the future I would like to deploy multiple applications.

I created a structure in the AD that holds the computer accounts that
should get a specific app.

Software groups
Office XP
Office 2003

I can only put a computer in one OU at a time. For this it won't be a
problem because a computer will only have Office XP or Office 2003 but
not 2 at a time. But suppose I add a new software package called
Adobe Acrobat Reader. A computer that's already in the group Office XP
can't be in the group Adobe Acrobat Reader.

So in order to solve this I created a global group and put the
computer account in there and leave the computer accounts in separate
OUs. Since an OU can't contain multiple computer accounts but
different groups can this would solve it all.
Unfortunately this doesn't work. If I put the group policy on the OU
that holds the computer account there is no problem and the package is
installed. But when I put the group that holds the computer account in
this OU instead of the computer account then the policy won't be
applied. I have verified this with gpresult on the local system.

There is a MS knowledgebase article that deals with assigning apps
to specific groups with user in them but not computer accounts.
Is it at all possible what I want to do and if so, how???


Thanks,

Dennis van der Meer

 

[Chriss3]

Group Policies can't be applied to Groups. How ever you can filter the scope
of a GPO see the links below for more information.

JSI Tip 4231. How do I filter the scope of a Group Policy object?
http://www.jsiinc.com/SUBI/tip4200/rh4231.htm

To filter the scope of Group Policy according to security group membership:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/filter.mspx

Using security groups to filter Group Policy:
http://www.microsoft.com/windows2000/en/server/help/sag_SPconcepts_29.htm

 

[Herb Martin]

I have a Windows Server 2003 system and an XP Pro workstation.
In the Active directory I have created a structure of several OUs
for software deploying. I have 2 packages (Office XP and Office 2003)
and they need to be deployed to several client pc's.
In the future I would like to deploy multiple applications.

Create additional GPOs or (better) just add the software package
to the existing GPOs if they are focused on the right set of users.

I created a structure in the AD that holds the computer accounts that
should get a specific app.

"structure in AD" doesn't mean much. If you mean a group, you can
use that to GRANT or DENY permissions on the GPO (and also on
the file share/files where the package is located) but you cannot link to
that.

Users or Computers (or really the groups they are in) must have:
READ and Apply_GroupPolicy to "get" the Policy.

Then the user or computer must have at least READ on the Share
where the install files are located, and READ on the files themselves.
Notice that if you don't have "Everyone" or "Authenticated Users"
permisssion, then Computers are unlikely to be able to installed
software "assigned to them" and even users may not be able to do
so.

Link the GPO to the appropriate OU (Groups don't link GPOs and
OUs are not security principles like Groups for receiving permissions.)

 

[Dennis]

Thanks for your response.
After a little searching I found out that it is indeed not possible to
do it the way I described it.
Right now I have it working the way I want it. When a certain user
doesn't need Office XP anymore I can just remove the user from
the specific security group that I created and it will be removed the
next time the computer reboots.

I have always worked at smaller companies where there was no
need for software deployment features like AD + Intellimirror but
now that I have been playing with it for a few days I must say that
it is a nice way to deploy software.

The only thing that I am searching for is a better reporting tool so
that I can check if a specific application was indeed deployed
correctly.

 

[Herb Martin]

The only thing that I am searching for is a better reporting tool so

that I can check if a specific application was indeed deployed
correctly.

That's SMS or some other third party tool. Does deployment (even
for older systems) but also does INVENTORY of hardware and
software. It does have a client license cost though.