Group Policy Question

J

Jeff

Thank you for the nice people that responded to my
previous question regarding Group Policy. I think I should
have been more clear on my question.

Basically, I want to deliver a MSI package to several
computers (not users) that reside in different OU's. I
know it's easy to move all the computer accounts to one OU
where the GP is but that will not work for me.

How is this done? Can you assign a group policy to a
Security Group? I saw MS Article that explains it on
users, but not Computer accounts. HELP!

Jeff
 
S

Simon Geary

You can assign group policies at the domain, site and OU levels. If the
policy must apply to computers in different OU's then the group policy can
simply be linked to all those OU's. If you have computers within that OU
that you do not want the policy to apply to you would have to edit the
permissions of the objects and remove the 'apply group policy' permission.
 
H

Herb Martin

Basically, I want to deliver a MSI package to several
computers (not users) that reside in different OU's. I
know it's easy to move all the computer accounts to one OU
where the GP is but that will not work for me.
Click to expand...

This actually implies that you OU structure is not properly designed.

There are TWO MAJOR (and some minor) reasons for an OU:

1) Delegate authority
2) Link Group Policy

Now it is possible for these two to be in conflict so that only one
of them is possible to implement as an OU hierarch, careful design usually
gets around that problem.
How is this done? Can you assign a group policy to a
Security Group?
No.

I saw MS Article that explains it on
users, but not Computer accounts. HELP!
Click to expand...

Not exactly -- what you can do is make a Security Group and by manipulating
the permissions on the GPO (Read & Apply Group Policy are required for the
policy to apply to a computer or user) you can FILTER a GPO so that it only
applies to a subset of your Computer or users.

Example: Security Group --> MSIComputers (add computer accounts)
Build GPO and set Permission to remove the "Everyone" Apply and Read.
ADD Apply and Read to reference your Group, e.g., MSIComputers
Link the Group Policy

Also note that for the Computers to download the installation they must have
at least READ on the Share and NTFS files to download. (Everyone Read will
work but you might want to be more specific.)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Group Policy Question HELP! 4
Group Policy Problem 1
Active Directory Policy Inheritence 1
Group Policy question 2
Group Policy Problem 3
Domain Password Policy 1
OU/Container Question Rephrased 2
Applying Password Policy to Group 4

Top