We help IT Professionals succeed at work.

Software installation through GPO

Hi all, I'm configuring my domain policy to automatically deploy software to network clients.

Everything's working fine but I have a question:

I must deploy a lot of programs (30-35) but not globally to all the clients so I'm looking for a method to select which program has to be installed on which clients.
I thought that item level targeting should be the solution (create a security group for each program), but there's no ILT in software installation...

There's no other way than creating multiple GPO for each programs?

Thank you all in advance
Comment
Watch Question

Joseph MoodyBlogger and wearer of all hats.
BRONZE EXPERT

Commented:
First, don't use your domain policy to deploy software. Create specific software policies. We use a prefix to make sorting GPOs easier (ex: APP_Adobe Reader).

You can then create security groups and scrope it down. We have an OU named applications with security groups such as APP_Adobe Reader. We match the security group to the OU name.

Author

Commented:
I'm not using the domain policy, I created a specific GPO.
But my question is different: I'm asking if the only way to select which app has to be deployed to which pc is to create a single gpo for each software.

I have 30 packages: I need to create 30 GPO???
Blogger and wearer of all hats.
BRONZE EXPERT
Commented:
Yep. Group Policy was never suppose to be the primary way to deploy software. That was why Microsoft created SMS (now SCCM).

Author

Commented:
Really bad news....

No one knows a workaround?
Joseph MoodyBlogger and wearer of all hats.
BRONZE EXPERT

Commented:
What is bad about having 30 extra GPOs?

Author

Commented:
I love cleans environment...
:-D
Joseph MoodyBlogger and wearer of all hats.
BRONZE EXPERT
Commented:
I had to realign my vision of a clean environment when we topped 600 GPOs...

But I understand.

If you really wanted to do this you could try this:

1. Put MSIs into separate folders on deployment share. Ex: \\SERVERNAME\SHARE\Adobe Reader\
2. Add all MSIs to GPO
3. Create security groups for each MSI.
4. On each software folder in share (ex: Adobe Reader), set permissions so that only computers in the adobe reader security group can read/execute the share).
5. Do so for each GPO

Bad news is that every MSI that the computer can't get to will generate failed event logs. Also, startup time will slow by about 1/5 of a second per MSI. The computer will try to access the MSI, fail, aand move to the next MSI.

You will be much happier in the long term doing individual GPOs though.

Author

Commented:
Good idea, but I agree with you that in long term this workaround could result in a more confusionary situation than having 30 GPO.

Thank you very much.
Joseph MoodyBlogger and wearer of all hats.
BRONZE EXPERT

Commented:
Not a problem at all! Let me know if you have any more questions.