MSI and Group Policy

[Jeremy Schafer]

Need some clarification on two different GP questions.

I have GPO setup in the DeptA OU to install Office 2000 to a particular
computer (call it compA). If DeptA bought Office 2000 licenses for all
of its employees and I changed group policy from installing Office 2000
on one machine to installing it to a group of machines (which contains
compA), will compA re-install Office 2000? Or better yet, what checking
does GP do when it goes to install software?

What is the difference between changing the security options of the GPO
and changing the security options for the MSI package in "Software
Installation"?

Thank you.

 

[Chriss3]

See my answer in the Group Policy group.

--
Regards,

Christoffer Andersson
No email replies please - reply in the newsgroup
If the information was help full, you can let me know at:
http://www.itsystem.se/employers.asp?ID=1

 

[a-davew [MSFT]]

When you expand a group policy that installs software to include more than
one computer, we check to see if we have already installed the software via
Group Policy. When we install via Group Policy, we hold on to the
information in AD, as part of the object (computer in this case). So, the
amount of checking is minimal, as we basically look for a flag in AD.

The permissions question has to do with what you are removing permissions
from. If you have a single GPO that installes 400 software titles, and you
remove the read permission to the GPO, you won't install any of the 400
pieces of software, or anything else that the GPO does. If you leave read
permission on the GPO, but remove read permission from the MSI package, all
other packages will still get installed. Basically, removing access to the
MSI package is a way of micro-managing a single, all-encompasing software
installation Policy.

David Waldron
MCSE+I, MCP+I, MCDBA, MCSA, MCT
Microsoft Enterprise Support
EPS Directory Services Team
(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jeremy Schafer]

Dave,

When you expand a group policy that installs software to include more than
one computer, we check to see if we have already installed the software via
Group Policy. When we install via Group Policy, we hold on to the
information in AD, as part of the object (computer in this case). So, the
amount of checking is minimal, as we basically look for a flag in AD.

The permissions question has to do with what you are removing permissions
from. If you have a single GPO that installes 400 software titles, and you
remove the read permission to the GPO, you won't install any of the 400
pieces of software, or anything else that the GPO does. If you leave read
permission on the GPO, but remove read permission from the MSI package, all
other packages will still get installed. Basically, removing access to the
MSI package is a way of micro-managing a single, all-encompasing software
installation Policy.

Thanks for the reply. Are there any technical white papers on how GPOs
and the Windows Installer service work together? I am looking for what
is cached on the client and how the server keeps this information as well.