Solved

Filtering Group Policy by Group Membership.

Posted on 2004-04-01
7
397 Views
Last Modified: 2010-04-19

I have a query regarding using Group policy to deploy applications based on group membership.

This is what I have done
----------------------------

1) Created a new policy object and added the application I want to install (Say Publisher)
    Computer settings/Software Settings\Software installation. As assigned.
2) Created a new user group called say "Publisher"
3) Assigned the group policy to a test OU that contains several test computers
4) On the security tab of the policy, removed the apply policy for the authenticated users group.  Added in the "publisher group" and set the permissions to read and apply policy to this group.
5) Added the computers where I want the application installed to the "Publisher Group" and put them in the OU where the policy is set

The application does not get installed to the PC.

Some things that I have tried to resolve.
---------------------------------------------

1) Gpupdate on client and server (Even left overnight)
2) Added a standard setting the policy to disable the index service (This does not get applied either)
3) Added another group policy with no group filtering to test application of policies to the test PC and these get applied to the computer.
4) If you run RSOP in logging mode against test computer the PUBLISHER policy settings have not been applied.
5) However if you run RSOP in planning mode and select the OU where the publisher policy is applied then add the Publisher group the RSOP states that the application will get applied.

 Help!

SuperPlay


0
Comment
Question by:superplay
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 2

Expert Comment

by:mbr1971
ID: 10731360
There are a number of things to look at:

1) Check the event log of the workstations.  The application log will contain any errors in applying group policy(s)

2) Check permissions to the file share where the computers are recieving the apps from (you did specifiy a UNC in the application Path?)

3) In security settings I usually leave authenticated users with the read and apply group policy permissions, but in the software installation section, for the appliction in question, I set the permission for which computer group is to receive that app.  That allows me to deploy many applications with one GPO.  If  I have other security settings to apply I create a separate GPO with the rights which are appropriate.

4)  To determine what is going on, I would create a new GPO, call it Software Installation Settings, then add a simple app.  I Like to use the msi file which you can get from the ADOBE Acrobat installation.  This app is small, and I know it works without any messing around; you can also deploy the RDP Client to windows 2000 workstations.

4) I may be off the track, but you cannot deploy Office applications without two things:
     a) you must either have MOLP or Select media
     b) you must use a transform file in the modifications section of the software installation software properties.
     If either of these is not present you will get a malformed installation

Hope these help.

Cheers,

Martin.
0
 
LVL 2

Expert Comment

by:Ugrum
ID: 10732626
Did you restart the PCs after adding their accounts to the Publisher group? I believe you have to, this is the same as with user accounts - have to log off and then back on in order to changed group membership take effect.
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10735092
Did you explicitly deny read to the authenticated users group or just remove them from the permissions list?
I ask because the explicit deny will override the implicit allow

Try removing authenticated users entirely
Cheers

JamesDS

0
 

Author Comment

by:superplay
ID: 10739946

1) I have looked at the event logs on both the server and workstation and no events are logged.

2) UNC to share and Permissions are correct as you install applciaons to the PC if you add them to a policy that is not controlled by group permissions

3) PC has been rebooted logged on off etc multiple times.

4) Deny is not set on any security option

All settings are being applied to the PC except the ones that I have added to the policy that I am setting the read/apply permissions via the group which has the computer in it.

As mentioned previoly what is strange is if you run RSOP in planing mode it states that a PC that is in the OU and the Group will have the applicions applied.  

0
 
LVL 2

Accepted Solution

by:
mbr1971 earned 125 total points
ID: 10740011
You have verified eveything is correct... the last times I have had that problem was with a windows xp workstations, I  rebuilt them - (I was using RIS for most of them).  No problems after that.  

The most recent was also fixed by a rebuild, but turned out to be a network card driver problem - I'm not sure if fixing the driver problem before the rebuild would have fixed the problem... hmmm

When you reboot the workstation there should at least be an event which states "Security Policy in the Group Policy objects are applied successfully"  The source is SceCli and Event ID 1704

On a windows 2000 workstation you can produce this by typing "secedit /refreshpolicy machine_policy /enforce" at a command prompt, or "gpupdate /Target:computer /Force"  If you get not SceCli messages there is a problem with your workstations.
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question