GPOs - Software Settings

By winthrop.polk ·
I am trying to understand the "software settings" section of GPOs. MS and all other documentation is way to general and not detailed enough.

Correct me if I am wrong, but I have the impression that this section is entirely for automatically installing software on devices in active directory. I am confused as to what difference the user/computer versions of this section will have. If I add a new piece of software to the computer section, does this mean it will be installed on next boot up? If I add it to the user section, does it mean that everytime someone logs on it will reinstall the software? What happens if I add a piece of software that is already installed on the system?

Are there any other funstions of this section?

I am trying to learn about this section on a desktop computer, so I cannot see the Software installation subitem. Does anyone have a screen shot example showing how you implement this stuff.

I need some details and MS only has a one liner about this section.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by Breezer85 In reply to GPOs - Software Settings

You more or less answered your own question! If you put a software in the computer section it will install on boot, if in the user then when users logon, however this is only done the once unless explicitly specified to remove upon logoff or shutdown!

Once you choose the SW to install it gives you the option to Assign (Install on startup/logon) or to Publish (Give the user the option to install). Pretty straight forward really and usually works!

Collapse -

THanks... and......

by winthrop.polk In reply to Well...

Is the "Software installation subitem" really the only subitem?

If I add a piece of software to the section and tell it to install on startup, is the software then removed from the GPO after it is installed?

What do I do if I have 3 user who access 20 different computers and I want to install software for only 1 of these users as he accesses anyone of 10 of the 20 computers? I.e. can it be done based on per user per device?

Collapse -


by winthrop.polk In reply to Well...

I am writing a 60 page report mimicing the development of a GPO. I am writing this as an overall policy and design guide. It will be used by contractors and personnel who will need to imoplement GPOs. A lot of these people have never done anything like this before; chance are a contractor will actually do the GPO development, but the report really needs to lay everything out enough to allow anyone to create the GPOS. So, please comment on the following text, let me know if there is anything else I should add (user section will be identical):

4.2.1. Software Settings
*For both the computer configuration and user configuration, Software Settings contains only Software Installation settings by default. Software Installation settings help you specify how applications are installed and maintained within your organization. Software Installation settings also provide a place for independent software vendors to add settings.
*New software assigned under the user section will be installed upon user logon. Additional options exist, such as asking the user whether or not to install software first. Software installation
*This section should only be populated when multiple GPOs are to be implemented in an Active Directory environment. It is primarily used for rolling out software and updates. Software cannot be rolled out in an ad hoc fashion; it must pass through the approval processes defined by [COMPANY]?s policies and procedures.
*Refer to section 5, Software Installation Policies for specific requirements.
*It is the governing policy of [COMPANY]that ?only software required for normal and emergency operations are installed?.
*Refer to Microsoft documentation for further details on how to use this section.

Collapse -

A lot of the people have never done anything like this

by CG IT In reply to READ ME!!!!

Your words above should be the first clue that you do not want to do this.

Next is "...the report really needs to lay everthing out enough to allow anyone to create the GPOs"...

This should be the second clue that you do not want to do this.

The third clue is resultant set of policy or RSOP which is a tool used to test group policies and see their results before deployment. Group Policies can be set at 4 different levels local machine, site, domain and OU. Then in the OU level, you can set Group Policy to nested OUs [parent/child]. Often Group Policies conflict with each other. The highest priority Group Policy gets applied which might give users more or less than what was anticipated. This can cause lots of user complaints or give users abilities that you did not want.

The fourth clue is, and this should be of real concern, providing rights to install software. If anyone can create a GPO that provides rights to install software on users computers think of the security concerns by allowing that to happen.

If there is no control and oversight over what gets install especially using Group Policy, then you can't manage and maintain the network and provide support to the users.

While you can delegate administrative functions you shouldn't delegate to people who don't know Group Policy or Active Directory. Just asking for trouble if you do.

Related Discussions

Related Forums