Link to home
Start Free TrialLog in
Avatar of norcalty
norcaltyFlag for United States of America

asked on

GPO Security filtering - how to add multiple machines at once

I am setting up software installation through active directory.  I have it working and have tested the deployment of this package through a few test machines.  Now I want to deploy it to about 30 other computers.  Sometimes I might need to deploy it to 150 computers.

I have my computers in two OUs.  One called local pc and the other called remote pc.  I have the GPO linked to both OUs.  

I am using security filtering to have this installed only on those machines that need this piece of software.  

I am filtering by computer name because I was afraid that if I filter by user that if UserX logged into their machine it would install it and then the next day they logged into another computer (say our conference room machines) it would install it there as well.  Is this correct?

I only want it installed on the user's home machine.  Anyway, when I try to add a machine to security filtering it by default only searches for users and groups so I have to go in each time and add the check box to 'computers' and then it only lets me add a single computer at a time... thus I have to click add again and then go into object types and click computers and then search again.  This could get a little work heavy when adding 30 - 150 computers!  Specially given we want to push all of our software out like this now.

Anything I'm missing to make this easier?  If I filter by person will it install everywhere they login or just the first time?
Avatar of norcalty
Flag of United States of America image


Another question... What if I put the computers in a group and then added the group to security filtering.  When I add another machine will it still deploy to the newly added machine in that group?  Has anyone done software installation via GPO to a group of computers?
Avatar of bluntTony
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Ha! looks like you beat me to it!

Yes you can do this, as described in my above post.
Silly question... My question is that if I add Computer1 and Computer2 to a security group for installation and then it gets installed... and then I add Computer3 later will it automatically install on Computer3 or do I have to use the 'redeploy' function?  How does the system know Computer1 has it already and yet Computer3 does not because it was just added?  
The software installation is assessed client side during startup. The machine will figure that it is within the scope of a software installation policy, if the software hasn't already been installed then it installs it. If it has, it doesn't do anything.

This assessment is carried out on every startup. In addition, if you select 'Uninstall this application when it falls out of the scope of management', the PC will uninstall the software again as soon as it detects that it is no longer subject to the policy.

Just ensure that the GPO is linked to the OU holding the computers. The actual location of the group is irrelevant.

This may be a dumb question but... Does this mean if I eventually create say 100 software installation GPOs that it will take forever for these machines to boot?
That's not a dumb question, it will affect it, yes.

Obviously if you assign loads of apps to machine the first time it boots it's going to install them all which will take a while but this is only once.

But in addition to that, each and every GPO the user/computer is within the scope of will increase the login/startup times respectively. Just the act of reading the policy to see if it applies will increase the time, in addition to actually processing the policies that do apply.

Two ways you can speed this process up:

1. When you're only using Computer Configuration in a GPO, disable the User Configuration half of it, and visa versa. Do this by editing the GPO, right click the top-most node and choose properties. The option to disable each section is on the 'General Tab'
2. Consolidate you OUs down to as little as necessary. 10 GPOs each applying one policy will take longer than 1 GPO applying all 10.

Also try to use security filtering only when your OU structure cannot cater for how you want to target your GPOs.


Strange... so I had the GPO working great but I was testing it with the security filter using computers not a group.  I added an OU called Software Installations applied the installation GPO to that OU.  I create a group called softwarex installation and added all the computers I wanted to have this piece of software.  I put the group in the Software Installations OU.  Now it doesn't work.  Did I miss something?

When I run gpresult it doesn't show up.  It doesn't install, nothing.

So then I add my test machine to the security filtering directly with the group account and it works fine.  I must be doing something wrong when it comes to using groups in their own OU to do the install.

The GPO is applied to the two OUs that contain the computers and the OU with the group in it...
Regardless of whether you are using security fitering or not, you need to link the GPO to the OU containing the computer objects. You can't create a group, place this in an OU and apply the GPO to that, expecting the members of this group to get the policy. It doesn't work like that unfortunately.

A computer account will assess all the GPOs that are applying to it, i.e. those linked to it's parent OU and above.

Then, if any of of these GPOs are using security filtering, it also assess if it has the right group membership. If it does, the policy will apply. If not, it doesn't.

So - just link the GPO to the OU containing your computers and apply the security filtering, don't worry about linking it to the OU containing the group as this is irrelevant.

Run 'gpupdate /force' on a client and then reboot it. See if the polcy then applies.