Solved

Filtering Group Policy by Group Membership.

Posted on 2004-04-01
7
390 Views
Last Modified: 2010-04-19

I have a query regarding using Group policy to deploy applications based on group membership.

This is what I have done
----------------------------

1) Created a new policy object and added the application I want to install (Say Publisher)
    Computer settings/Software Settings\Software installation. As assigned.
2) Created a new user group called say "Publisher"
3) Assigned the group policy to a test OU that contains several test computers
4) On the security tab of the policy, removed the apply policy for the authenticated users group.  Added in the "publisher group" and set the permissions to read and apply policy to this group.
5) Added the computers where I want the application installed to the "Publisher Group" and put them in the OU where the policy is set

The application does not get installed to the PC.

Some things that I have tried to resolve.
---------------------------------------------

1) Gpupdate on client and server (Even left overnight)
2) Added a standard setting the policy to disable the index service (This does not get applied either)
3) Added another group policy with no group filtering to test application of policies to the test PC and these get applied to the computer.
4) If you run RSOP in logging mode against test computer the PUBLISHER policy settings have not been applied.
5) However if you run RSOP in planning mode and select the OU where the publisher policy is applied then add the Publisher group the RSOP states that the application will get applied.

 Help!

SuperPlay


0
Comment
Question by:superplay
7 Comments
 
LVL 2

Expert Comment

by:mbr1971
ID: 10731360
There are a number of things to look at:

1) Check the event log of the workstations.  The application log will contain any errors in applying group policy(s)

2) Check permissions to the file share where the computers are recieving the apps from (you did specifiy a UNC in the application Path?)

3) In security settings I usually leave authenticated users with the read and apply group policy permissions, but in the software installation section, for the appliction in question, I set the permission for which computer group is to receive that app.  That allows me to deploy many applications with one GPO.  If  I have other security settings to apply I create a separate GPO with the rights which are appropriate.

4)  To determine what is going on, I would create a new GPO, call it Software Installation Settings, then add a simple app.  I Like to use the msi file which you can get from the ADOBE Acrobat installation.  This app is small, and I know it works without any messing around; you can also deploy the RDP Client to windows 2000 workstations.

4) I may be off the track, but you cannot deploy Office applications without two things:
     a) you must either have MOLP or Select media
     b) you must use a transform file in the modifications section of the software installation software properties.
     If either of these is not present you will get a malformed installation

Hope these help.

Cheers,

Martin.
0
 
LVL 2

Expert Comment

by:Ugrum
ID: 10732626
Did you restart the PCs after adding their accounts to the Publisher group? I believe you have to, this is the same as with user accounts - have to log off and then back on in order to changed group membership take effect.
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 10735092
Did you explicitly deny read to the authenticated users group or just remove them from the permissions list?
I ask because the explicit deny will override the implicit allow

Try removing authenticated users entirely
Cheers

JamesDS

0
 

Author Comment

by:superplay
ID: 10739946

1) I have looked at the event logs on both the server and workstation and no events are logged.

2) UNC to share and Permissions are correct as you install applciaons to the PC if you add them to a policy that is not controlled by group permissions

3) PC has been rebooted logged on off etc multiple times.

4) Deny is not set on any security option

All settings are being applied to the PC except the ones that I have added to the policy that I am setting the read/apply permissions via the group which has the computer in it.

As mentioned previoly what is strange is if you run RSOP in planing mode it states that a PC that is in the OU and the Group will have the applicions applied.  

0
 
LVL 2

Accepted Solution

by:
mbr1971 earned 125 total points
ID: 10740011
You have verified eveything is correct... the last times I have had that problem was with a windows xp workstations, I  rebuilt them - (I was using RIS for most of them).  No problems after that.  

The most recent was also fixed by a rebuild, but turned out to be a network card driver problem - I'm not sure if fixing the driver problem before the rebuild would have fixed the problem... hmmm

When you reboot the workstation there should at least be an event which states "Security Policy in the Group Policy objects are applied successfully"  The source is SceCli and Event ID 1704

On a windows 2000 workstation you can produce this by typing "secedit /refreshpolicy machine_policy /enforce" at a command prompt, or "gpupdate /Target:computer /Force"  If you get not SceCli messages there is a problem with your workstations.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
Learn about cloud computing and its benefits for small business owners.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now