Member_2_6518260
asked on
Microsoft GPO question
Hello everyone,
I am trying to find a concrete answer to a question I have about GPO creation and permissions. Here is my scenario:
-I have 2 domain controllers that are both Server 2008 R2
-I created a new GPO to install software on computers that are members of a security group that I have specified in security filtering
-I have applied the GPO to specific organizational units. The software is installing as desired but it is installing on ALL computers in the OU and not just the ones that are members of the security group
-I do not have authenticated users specified in the security filtering, only the security group I am using
-I DO however have authenticated users on the delegation tab with read permission
-I am wondering if security filtering and delegation act in the same way? Is the reason that the GPO is being applied to all computers in the OU because there is read permission granted to authenticated users on the delegation tab?
-I have researched on Google extensively and have not found a good answer/explanation, I am hoping the experts here can shed some light. Thanks.
I am trying to find a concrete answer to a question I have about GPO creation and permissions. Here is my scenario:
-I have 2 domain controllers that are both Server 2008 R2
-I created a new GPO to install software on computers that are members of a security group that I have specified in security filtering
-I have applied the GPO to specific organizational units. The software is installing as desired but it is installing on ALL computers in the OU and not just the ones that are members of the security group
-I do not have authenticated users specified in the security filtering, only the security group I am using
-I DO however have authenticated users on the delegation tab with read permission
-I am wondering if security filtering and delegation act in the same way? Is the reason that the GPO is being applied to all computers in the OU because there is read permission granted to authenticated users on the delegation tab?
-I have researched on Google extensively and have not found a good answer/explanation, I am hoping the experts here can shed some light. Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@Cliff
GPSI was recommended by the software vendor due to the software needing to be updated without interruption to end users and myself not having to touch over 800 computers. I also use Admin Arsenal's PDQ Deploy software but had trouble getting it to work well with this particular install. The install uses an msi file and also a batch file that configures specific parameters for the software.
GPSI was recommended by the software vendor due to the software needing to be updated without interruption to end users and myself not having to touch over 800 computers. I also use Admin Arsenal's PDQ Deploy software but had trouble getting it to work well with this particular install. The install uses an msi file and also a batch file that configures specific parameters for the software.
Yeah, i00 Pcs is where you invest in deployment software (And GPSI is even worse there because managing updates via GPSI just doesn't handle updates well...zero detection logic.)
I'd strongly recommend focusing your efforts on getting it to work with PDQ Deploy. Ive not used it, but MSIs are the Windows install standard so it shouldn't be a big issue.
I'd strongly recommend focusing your efforts on getting it to work with PDQ Deploy. Ive not used it, but MSIs are the Windows install standard so it shouldn't be a big issue.
I am wondering if security filtering and delegation act in the same way?If you are talking about GPO security filtering and the security tab when you edit a GPO, yes the are the same. In fact I prefer to use security tab because doing it via the security filtering options removes read rights from Authenticated Users
Hi - if I were in your position I would seriously listen to Cliff - that's not just his opinion, that's deep (and I would guess, often painful) experience. GPSI is not up to it. Focus on PDQ deploy. If the install is just a normal MSI the product will handle it. What issues did you get with it, that made it worse than GPSI, since neither have worked correctly?
Mike
Mike
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Accept: Cliff Galiher (https:#a42260562)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Accept: Cliff Galiher (https:#a42260562)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
Is the reason that the GPO is being applied to all computers in the OU because there is read permission granted to authenticated users on the delegation tab? -No. Authenticated users groups has to have only Read permission Allow, not Apply Group Policy permission Allow..