General discussion

Locked

software deployment issue

By taz1nl ·
Hi,

I'm trying to deploy software to some users, and since they are spread across different OU's I created a group and added the computers accounts in it that I wanted to deploy the software to. But for some reason the group policy doesn't apply to the group I made with the computer accounts in it. Hence the software doesn't get installed on the pc's I want it to. It will only apply the GP if I actually physically move the computer accounts to the OU for which the policy is applied.

When I added the group to the security filtering I only checked the groups option in 'object types', as I only wanted to add the group in question.

Any ideas?

Thanks,
Taz

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by BFilmFan In reply to software deployment issue

Group Policy Objects only apply to local systems, sites, domains and OU's. You cannot apply it directly to a security group. You can filter a security group from applying the GPO however.

Your GPO is functioning exactly as it should, which is a good thing since you daid it did apply to objects in that OU.

If you want to apply that GPO to other computers in other OU's, then you should reverse your thinking. Apply the GPO, but remove the ability to read and apply the GPO to the groups which you do not want it applied to.

Collapse -

by taz1nl In reply to

Poster rated this answer.

Collapse -

by CG IT In reply to software deployment issue

As Bfilm says, the GPO is being applied correctly to the OU, you just didn't add the computers you wanted to have the software available to the OU in which the GPO applies. Just add in the computers you want to that OU and the program will be available.

Collapse -

by CG IT In reply to

If your thinking of how the global groups work in grouping users for access to network resources by adding them to a global group, put a resource in a domain local group, add the global group to the domain local group then assign resource permissions to the domain local group Software Deployment via AD doesn't work that way.

Software deployment is a part of Group Policy which is user and computer configuration, not access to shared resources.

Collapse -

by taz1nl In reply to

Poster rated this answer.

Collapse -

by taz1nl In reply to software deployment issue

I'm not sure if my issue was correctly understood. What I'm trying to do is deploy software to computers spread across OU's in AD, as apposed to just one single OU which would be easy as the GP would apply to the computers in that OU. But since I have to drag computer accounts in a particular OU for deployment, this would mean that the computer account would no longer receive any GP's that were linked to it. For example, I have a SUS GPO that is linked to my Computers OU and if I remove the computer account from the Computers OU to another OU for software deployment purposes then that PC will no longer receive critical MS updates. See what I mean?

Furthermore, I recently read the following comment in a Windows Server 2003 book:

"Since computer accounts tend to be organized by where they are located or who uses them for what, you may find winxp workstations all over the place in AD Users and Computers. So what can you do, except pick and choose machines individually? The answer is to put them into groups. Computers have accounts, accounts can be added to groups, and groups aren't affected by the boundariesof something as simple as an OU. I know, I know, GP's aren't applied to groups, they are applied to containers like OU's. Apply the policy to the domain, then go to the security tab and uncheck the Apply Group Policy check box for all groups but the computer group for your choice."

So the above text suggests you CAN do what I was trying to do, but for some reason it's not working for me. Or maybe I'm interpreting this all wrong? I'm not entirely sure what the last sentence means, as I've added the pc accounts to a group and in gpmc security filtering only that group is included and on the security tab that group has read and apply GP rights. Could someone please clarify this for me in plain English.

Thanks in advance,
Taz

Collapse -

by CG IT In reply to software deployment issue

Ah, ok. Group Policy is applied in an order. local , site, domain, and OU as Bfilm pointed out. Further, there are to methods of appling GP. Computers and Users. There are also 2 methods to software deployment, with options available to you . Published and Assigned. If you have a software program you want to make available to ALL users within your domain but you don't want to have to install the damn thing, you can make it available in add/remove programs. To accomplish this, you assign or publish the program to a "user". To make the GPO applicable across the domain the GPO is linked at the domain level. To make it available to select users, you can assign the program to the user or assign it to the computer they use.

Note: Normally, OU structure is planned either in a functional method, geographical method or a mixed functional/geographic method. OUs are planned to group users and computers into a functional department structure which mimics departments physical layout. That way you apply the GPO for software deployment, to the uppermost OU in the functional department structure so that all within the department receives the program in ADD/Remove programs in the control panel if needed and you reduce the administrative burden of complex GPO structure.

Collapse -

by CG IT In reply to

Another note is, when you apply GPO to an OU, all within that OU get the GPO unless you block policy inheritance. If you don't want users at the lower levels of the OU to get the GPO, block policy inheritance to child OUs of the parent OU.

Collapse -

by CG IT In reply to

Here's an example. The accounting department has 20 computers. So you create an OU named Accounting Department computers and you put all 20 within that OU. You want to deploy a new accounting software package to the accounting department that all users will get. You create a GPO that assigns the package to the 20 computers and apply that GPO to the accounting department computer OU.

If there is a new accounting program that only manager in the accounting department get, you create a GPO for that program and you can either assign it to his computer only, or assign it to his user account. This method tends to complicate GP administration and tracking a whole lot. In cases where an individual only gets the program, sometimes its far less complicated to just go down there and install it on his computer and install where the program is only for his account. Therefore anyone else logging in on that computer under another account can't access it.

Back to Networks Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums