Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Filtering Group Policy by Group Membership.

Posted on 2004-04-01
7
Medium Priority
?
402 Views
Last Modified: 2010-04-19

I have a query regarding using Group policy to deploy applications based on group membership.

This is what I have done
----------------------------

1) Created a new policy object and added the application I want to install (Say Publisher)
    Computer settings/Software Settings\Software installation. As assigned.
2) Created a new user group called say "Publisher"
3) Assigned the group policy to a test OU that contains several test computers
4) On the security tab of the policy, removed the apply policy for the authenticated users group.  Added in the "publisher group" and set the permissions to read and apply policy to this group.
5) Added the computers where I want the application installed to the "Publisher Group" and put them in the OU where the policy is set

The application does not get installed to the PC.

Some things that I have tried to resolve.
---------------------------------------------

1) Gpupdate on client and server (Even left overnight)
2) Added a standard setting the policy to disable the index service (This does not get applied either)
3) Added another group policy with no group filtering to test application of policies to the test PC and these get applied to the computer.
4) If you run RSOP in logging mode against test computer the PUBLISHER policy settings have not been applied.
5) However if you run RSOP in planning mode and select the OU where the publisher policy is applied then add the Publisher group the RSOP states that the application will get applied.

 Help!

SuperPlay


0
Comment
Question by:superplay
7 Comments
 
LVL 2

Expert Comment

by:mbr1971
ID: 10731360
There are a number of things to look at:

1) Check the event log of the workstations.  The application log will contain any errors in applying group policy(s)

2) Check permissions to the file share where the computers are recieving the apps from (you did specifiy a UNC in the application Path?)

3) In security settings I usually leave authenticated users with the read and apply group policy permissions, but in the software installation section, for the appliction in question, I set the permission for which computer group is to receive that app.  That allows me to deploy many applications with one GPO.  If  I have other security settings to apply I create a separate GPO with the rights which are appropriate.

4)  To determine what is going on, I would create a new GPO, call it Software Installation Settings, then add a simple app.  I Like to use the msi file which you can get from the ADOBE Acrobat installation.  This app is small, and I know it works without any messing around; you can also deploy the RDP Client to windows 2000 workstations.

4) I may be off the track, but you cannot deploy Office applications without two things:
     a) you must either have MOLP or Select media
     b) you must use a transform file in the modifications section of the software installation software properties.
     If either of these is not present you will get a malformed installation

Hope these help.

Cheers,

Martin.
0
 
LVL 2

Expert Comment

by:Ugrum
ID: 10732626
Did you restart the PCs after adding their accounts to the Publisher group? I believe you have to, this is the same as with user accounts - have to log off and then back on in order to changed group membership take effect.
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10735092
Did you explicitly deny read to the authenticated users group or just remove them from the permissions list?
I ask because the explicit deny will override the implicit allow

Try removing authenticated users entirely
Cheers

JamesDS

0
 

Author Comment

by:superplay
ID: 10739946

1) I have looked at the event logs on both the server and workstation and no events are logged.

2) UNC to share and Permissions are correct as you install applciaons to the PC if you add them to a policy that is not controlled by group permissions

3) PC has been rebooted logged on off etc multiple times.

4) Deny is not set on any security option

All settings are being applied to the PC except the ones that I have added to the policy that I am setting the read/apply permissions via the group which has the computer in it.

As mentioned previoly what is strange is if you run RSOP in planing mode it states that a PC that is in the OU and the Group will have the applicions applied.  

0
 
LVL 2

Accepted Solution

by:
mbr1971 earned 500 total points
ID: 10740011
You have verified eveything is correct... the last times I have had that problem was with a windows xp workstations, I  rebuilt them - (I was using RIS for most of them).  No problems after that.  

The most recent was also fixed by a rebuild, but turned out to be a network card driver problem - I'm not sure if fixing the driver problem before the rebuild would have fixed the problem... hmmm

When you reboot the workstation there should at least be an event which states "Security Policy in the Group Policy objects are applied successfully"  The source is SceCli and Event ID 1704

On a windows 2000 workstation you can produce this by typing "secedit /refreshpolicy machine_policy /enforce" at a command prompt, or "gpupdate /Target:computer /Force"  If you get not SceCli messages there is a problem with your workstations.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question