Link to home
Start Free TrialLog in
Avatar of superplay
superplay

asked on

Filtering Group Policy by Group Membership.


I have a query regarding using Group policy to deploy applications based on group membership.

This is what I have done
----------------------------

1) Created a new policy object and added the application I want to install (Say Publisher)
    Computer settings/Software Settings\Software installation. As assigned.
2) Created a new user group called say "Publisher"
3) Assigned the group policy to a test OU that contains several test computers
4) On the security tab of the policy, removed the apply policy for the authenticated users group.  Added in the "publisher group" and set the permissions to read and apply policy to this group.
5) Added the computers where I want the application installed to the "Publisher Group" and put them in the OU where the policy is set

The application does not get installed to the PC.

Some things that I have tried to resolve.
---------------------------------------------

1) Gpupdate on client and server (Even left overnight)
2) Added a standard setting the policy to disable the index service (This does not get applied either)
3) Added another group policy with no group filtering to test application of policies to the test PC and these get applied to the computer.
4) If you run RSOP in logging mode against test computer the PUBLISHER policy settings have not been applied.
5) However if you run RSOP in planning mode and select the OU where the publisher policy is applied then add the Publisher group the RSOP states that the application will get applied.

 Help!

SuperPlay


Avatar of mbr1971
mbr1971
There are a number of things to look at:

1) Check the event log of the workstations.  The application log will contain any errors in applying group policy(s)

2) Check permissions to the file share where the computers are recieving the apps from (you did specifiy a UNC in the application Path?)

3) In security settings I usually leave authenticated users with the read and apply group policy permissions, but in the software installation section, for the appliction in question, I set the permission for which computer group is to receive that app.  That allows me to deploy many applications with one GPO.  If  I have other security settings to apply I create a separate GPO with the rights which are appropriate.

4)  To determine what is going on, I would create a new GPO, call it Software Installation Settings, then add a simple app.  I Like to use the msi file which you can get from the ADOBE Acrobat installation.  This app is small, and I know it works without any messing around; you can also deploy the RDP Client to windows 2000 workstations.

4) I may be off the track, but you cannot deploy Office applications without two things:
     a) you must either have MOLP or Select media
     b) you must use a transform file in the modifications section of the software installation software properties.
     If either of these is not present you will get a malformed installation

Hope these help.

Cheers,

Martin.
Avatar of Ugrum
Ugrum
Did you restart the PCs after adding their accounts to the Publisher group? I believe you have to, this is the same as with user accounts - have to log off and then back on in order to changed group membership take effect.
Avatar of JamesDS
JamesDS
Did you explicitly deny read to the authenticated users group or just remove them from the permissions list?
I ask because the explicit deny will override the implicit allow

Try removing authenticated users entirely
Cheers

JamesDS

Avatar of superplay
superplay

ASKER


1) I have looked at the event logs on both the server and workstation and no events are logged.

2) UNC to share and Permissions are correct as you install applciaons to the PC if you add them to a policy that is not controlled by group permissions

3) PC has been rebooted logged on off etc multiple times.

4) Deny is not set on any security option

All settings are being applied to the PC except the ones that I have added to the policy that I am setting the read/apply permissions via the group which has the computer in it.

As mentioned previoly what is strange is if you run RSOP in planing mode it states that a PC that is in the OU and the Group will have the applicions applied.  

ASKER CERTIFIED SOLUTION
Avatar of mbr1971
mbr1971
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial