Announcement

Collapse
No announcement yet.

How To Apply GPO to an Security Groups in Active Directory

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • How To Apply GPO to an Security Groups in Active Directory

    Hi, all!!!
    I have some problem with software installation GPO. My test lab (VmWare) environment configuration:
    1 DC running on Windows 2003 Standard edition and 1 Windows XP client joined to domain. What I did:
    I created Test OU and put into it two users account Test1 and Test2. Than I configured software installation GPO ( assign winrar3.30.msi to users) under User configuration and linked it to Test OU. After client computer restart and Test1 user made login, the software was successfully installed. Now, I created an additional OU called Software Deployment and inside I created Domain local group Users1. All users account in my test lab reside in Test01 OU, so I add users Test 3 and Test 4 to be a members of Users1. Software Deployment OU have only Domain local group Users1 inside,- no other users accounts are presents. Than I configured additional software installation GPO (assign winrar3.30.msi) and link it to Software Deployment OU. I am used Global Policy Management Console and under Security Filtering I removed Authenticated Users and add instead Users1 and checked that Users1 group have READ and the Apply Group Policy check boxes in the Allow column in security properties of GPO. Like in first time I restarted client computer , log in as Test 3 and... nothing happened. The software won't install. I trying publish software instead of assign, I checked that users Test 3 and Test 4 have access to share point, where winrar3.30.msi exist and they can run this application from share point, I checked time synchronization issue,- no results. Winrar won't be installed for Users1 domain local group.
    I checked everything according to MS KB 324750:How to assign software to a specific group by using Group Policy in Windows Server 2003,- it should work!!!
    Than i logged into client machine as Test 3 and run gpresult /Z command and notice that software installation GPO that I created not applied to Test 3 user account. What can be cause of this? In GPMC the GPO is enabled and linked to Software Deployment ... What else I can check to resolve this problem.
    I need some help, please.
    Thanks in advance.
    Last edited by igor7; 22nd July 2007, 02:21.

  • #2
    Re: How To Apply GPO to an Security Groups in Active Directory

    The policy doesn't show at all? Or it does show under "Not applied"?

    Sorin Solomon


    In order to succeed, your desire for success should be greater than your fear of failure.
    -

    Comment


    • #3
      Re: How To Apply GPO to an Security Groups in Active Directory

      Hi!!
      Thank you for replay!
      I reinstalled all my test environment, to be sure that I working on clean installed machines. I recreated everything according to scenario that I explained earlier and it still not work!!
      Even this time I didn't install GPMC, because I want perform each task according to MS KB 324750:How to assign software to a specific group by using Group Policy in Windows Server 2003. After all I executed RSoP in Planning and Logging modes and result was the same,- the list is empty :



      I checked one more time,- the Gpo is linked to appropriate OU and Security settings are configured in proper way as well...:





      Than I run gpresult /Z on target computer and found that not only GPO not on the list, also user Test 3 not member of User1 domain local group:



      But on server, under user properties everything is OK:



      So, I confused... What I did wrong?? Or, may be it not work because Virtual enviroment... But one more time,- when I applied the same policy to users rather then to security group,- it work grate

      Comment


      • #4
        Re: How To Apply GPO to an Security Groups in Active Directory

        look man, i didn't read much in your thread, just take it from me.

        look, if you have a group in an OU that contain users objects located on another OU, and you apply the GPO on the OU that contain the groups, the policy will not apply, cause it require the user objects that are included in that group to be in the same OU of the group, try that and it will work !!

        on other words.. the policy can't be applied to groups if it's alone in the ou !! it's to users, computers, or groups but the members of that group is on the same ou as the group ! and these words are on my own responsibility

        Cheers

        Dr.Kernel

        Comment


        • #5
          Re: How To Apply GPO to an Security Groups in Active Directory

          Hi, Dr. Kernel!!
          Thank you for replay. Are you from Sadikov forum? Several days ago I thought precisely as well as you. I was pretty sure that GPO can apply on user only if user account is presents in this OU. But few days ago somebody from Sadikov forum ask exactly same questions. I searched the internet and found MS KB Article 324750:How to assign software to a specific group by using Group Policy in Windows Server 2003. Read here:
          Code:
          http://support.microsoft.com/kb/324750
          So, in summary session, on top of this article, very clean explained, that you, as admin, can create software deployment policy applied to users who are not in an OU:
          You (as an administrator) can use Group Policy to assign or to publish software to users or computers in a domain. Additionally, it is useful to be able to deploy software based on group membership. A Group Policy object (GPO) is usually applied only to members of an organizational unit (OU) to which the GPO is linked. Because a user cannot be located in several OUs at the same time, you must be able to apply Group Policy settings outside the boundaries of OUs. This article describes how to have your software deployment policy applied to users who are not in an OU.
          I decide try this explanation on my virtual environment, but it not work. So, now I want understand why...

          Comment


          • #6
            Re: How To Apply GPO to an Security Groups in Active Directory

            Hi, igor7.
            Not quite clear to me: if you now understand why, does it mean you solved the problem?
            If not, it would be nice if you could post a screenshot of the GPMC window (oh, yes, there's no problem with GPMC, you can install it. It's true that MS article tell you how to do it without it, and from the moment you install GPMC you cannot work the way MS describe, but it is still a must tool for anyone dealing with group policies).
            I would like to see how the policy is defined and how it is linked to the OU. Also, I would check the Event Viewer on the computer for any GPO-related error messages. Just to be sure there isn't any problem there... Another thing you should test is to move the test3 and test4 users to the Software Deployment OU, see if it helps.
            Another thing, are you aware of the fact that software installation policies are not applied immediately, as any other policies do?
            Take a look at the last lines in the article you referenced:
            Changes to a GPO are not immediately applied on the target computers. Instead, changes are applied according to the current Group Policy update interval.
            There was another KB article that dealt exactly with this issue, I cannot find it at the moment. I'll keep looking and add it here.

            Additional reference:
            - Troubleshooting Software Deployment
            - Troubleshooting Group Policy application problems

            Good luck. And keep us posted.
            Last edited by sorinso; 24th July 2007, 07:49. Reason: typos

            Sorin Solomon


            In order to succeed, your desire for success should be greater than your fear of failure.
            -

            Comment


            • #7
              Re: How To Apply GPO to an Security Groups in Active Directory

              Hi, everybody!!
              I already find solution that work for me and I share it with all of you!
              After I several times tried MS KB 324750:How to assign software to a specific group by using Group Policy in Windows Server 2003 on my virtual test lab, and it not worked for me, I decided search Microsoft website fore more explanation about GPO. In end of story I found this link:
              Code:
              http://www.microsoft.com/technet/technetmag/issues/2007/02/Troubleshooting/default.aspx
              Below is quoted from this website:

              GPO Must Target Correct Object
              As you know, Group Policy must target the correct objects in Active Directory. However, this is sometimes overlooked in the midst of a troubleshooting exercise. Within a GPO, there are two major categories: computer and user. When you configure a GPO, be sure to note if it is for a computer or user object. Then you can verify that the correct object types are placed in the Organizational Unit (OU) where the GPO is linked.

              GPOs Don't Apply to Groups
              Although you may wish it were so, a GPO cannot apply to an Active Directory security group object. The only two objects that a GPO setting can configure are computers and users. GPOs can't configure objects via group membership. For example, if there is a GPO linked to the Finance OU, as shown in Figure 2 the only objects that will be affected by the setting are Derek and Frank. The settings in the GPO will not affect the members of the Marketing group, no matter who has membership in that group.
              So, after I read this I was confused: One article says that we can assign Software Installation GPO to Security group and another one says NO!! And in real life is not work!
              So, the right answer is NO. We can't create Software installation GPO and link it to any OU's if in those OU's users or computers accounts not presented.
              But, like I sad above, I found, how we can assign Software installation GPO to an security group. It simple... After we create GPO with GPMC , we should delete Authenticated Users from the GPO scope (as we know,- by default GPO applied to Authenticated Users). No we need add to the list only security group that we want this policy applied to. This action will give to this group appropriate permissions by default - READ and APPLY GROUP POLICY. And now the trick: instead of link this GPO to OU with Security group inside we apply a GPO in the Domain level. The software will be installed when user logon next time. That all!! It work fine!
              So, now, I absolutely sure that MS KB 324750 is wrong. Later I will write full article with detailed explanation(with screen shot) How to assign software to a specific group by using Group Policy in Windows Server 2003
              Thank to all for help!!
              Last edited by igor7; 24th July 2007, 22:14.

              Comment


              • #8
                Re: How To Apply GPO to an Security Groups in Active Directory

                I am glad you solved the issue. And thank you for updating the forum.
                Nevertheless, I am puzzled now. I have applied lots of GPOs to groups, containing users and computers. And never had any problem with it! It is true that in all my cases, the objects that are members of the groups and the groups themselves reside in the same OU that the GPO is applied to.
                I think I'm going to dive into the issue a little bit, to clearify...

                Sorin Solomon


                In order to succeed, your desire for success should be greater than your fear of failure.
                -

                Comment

                Working...
                X