Solved

Filtering Group Policy by Group Membership.

Posted on 2004-04-01
7
393 Views
Last Modified: 2010-04-19

I have a query regarding using Group policy to deploy applications based on group membership.

This is what I have done
----------------------------

1) Created a new policy object and added the application I want to install (Say Publisher)
    Computer settings/Software Settings\Software installation. As assigned.
2) Created a new user group called say "Publisher"
3) Assigned the group policy to a test OU that contains several test computers
4) On the security tab of the policy, removed the apply policy for the authenticated users group.  Added in the "publisher group" and set the permissions to read and apply policy to this group.
5) Added the computers where I want the application installed to the "Publisher Group" and put them in the OU where the policy is set

The application does not get installed to the PC.

Some things that I have tried to resolve.
---------------------------------------------

1) Gpupdate on client and server (Even left overnight)
2) Added a standard setting the policy to disable the index service (This does not get applied either)
3) Added another group policy with no group filtering to test application of policies to the test PC and these get applied to the computer.
4) If you run RSOP in logging mode against test computer the PUBLISHER policy settings have not been applied.
5) However if you run RSOP in planning mode and select the OU where the publisher policy is applied then add the Publisher group the RSOP states that the application will get applied.

 Help!

SuperPlay


0
Comment
Question by:superplay
7 Comments
 
LVL 2

Expert Comment

by:mbr1971
ID: 10731360
There are a number of things to look at:

1) Check the event log of the workstations.  The application log will contain any errors in applying group policy(s)

2) Check permissions to the file share where the computers are recieving the apps from (you did specifiy a UNC in the application Path?)

3) In security settings I usually leave authenticated users with the read and apply group policy permissions, but in the software installation section, for the appliction in question, I set the permission for which computer group is to receive that app.  That allows me to deploy many applications with one GPO.  If  I have other security settings to apply I create a separate GPO with the rights which are appropriate.

4)  To determine what is going on, I would create a new GPO, call it Software Installation Settings, then add a simple app.  I Like to use the msi file which you can get from the ADOBE Acrobat installation.  This app is small, and I know it works without any messing around; you can also deploy the RDP Client to windows 2000 workstations.

4) I may be off the track, but you cannot deploy Office applications without two things:
     a) you must either have MOLP or Select media
     b) you must use a transform file in the modifications section of the software installation software properties.
     If either of these is not present you will get a malformed installation

Hope these help.

Cheers,

Martin.
0
 
LVL 2

Expert Comment

by:Ugrum
ID: 10732626
Did you restart the PCs after adding their accounts to the Publisher group? I believe you have to, this is the same as with user accounts - have to log off and then back on in order to changed group membership take effect.
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10735092
Did you explicitly deny read to the authenticated users group or just remove them from the permissions list?
I ask because the explicit deny will override the implicit allow

Try removing authenticated users entirely
Cheers

JamesDS

0
 

Author Comment

by:superplay
ID: 10739946

1) I have looked at the event logs on both the server and workstation and no events are logged.

2) UNC to share and Permissions are correct as you install applciaons to the PC if you add them to a policy that is not controlled by group permissions

3) PC has been rebooted logged on off etc multiple times.

4) Deny is not set on any security option

All settings are being applied to the PC except the ones that I have added to the policy that I am setting the read/apply permissions via the group which has the computer in it.

As mentioned previoly what is strange is if you run RSOP in planing mode it states that a PC that is in the OU and the Group will have the applicions applied.  

0
 
LVL 2

Accepted Solution

by:
mbr1971 earned 125 total points
ID: 10740011
You have verified eveything is correct... the last times I have had that problem was with a windows xp workstations, I  rebuilt them - (I was using RIS for most of them).  No problems after that.  

The most recent was also fixed by a rebuild, but turned out to be a network card driver problem - I'm not sure if fixing the driver problem before the rebuild would have fixed the problem... hmmm

When you reboot the workstation there should at least be an event which states "Security Policy in the Group Policy objects are applied successfully"  The source is SceCli and Event ID 1704

On a windows 2000 workstation you can produce this by typing "secedit /refreshpolicy machine_policy /enforce" at a command prompt, or "gpupdate /Target:computer /Force"  If you get not SceCli messages there is a problem with your workstations.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.

805 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question