No announcement yet.

Help with security group filtering software installations in a GPO

  • Filter
  • Time
  • Show
Clear All
new posts

  • Help with security group filtering software installations in a GPO

    Are you sitting comfortably?!

    Dear all

    I've been using group policy for software installation for years, and I'm no stranger to security group filtering different packages within the same GPO, so that different computers in an OU can get different software.

    Over the past few months I have been 'cleaning up' a domain since I started a new job, and part of this is dealing with the messiness of the group policies here. By the end of it, I hope to have a much smaller, more flexibly architected set of policies.

    I have, however, hit a problem which I've now spent weeks trying to solve myself. Each time I come back to the problem, I get more and more deeply involved with the way in which group policy stores its data, but I haven't found the solution (or even the reason!) yet.

    Note 1: this problem is not an issue with group policy application
    Note 2: over the weeks of research I have done on technet, etc, I have not found a single article that addresses my questions specifically, although many have helped me understand group policy in greater depth.
    Note 3: I have used every MS tool I can lay my hands on to troubleshoot this problem, mainly dcgpofix.exe, gpotool.exe, gpmonitor.exe. There may be more though?

    The problem:
    1) Create and link a new GPO to an OU that has a single test computer in.
    2) Assign a software installation to the computer part of this GPO
    3) Verify that group policy modelling picks up on this (run the query with all the default options, against the current DC, and using domain users and computers to pick up the settings rather than user and computer OUs).
    4) Add the test computer to a test security group
    5) Using the ACL editor for the software installation itself, remove 'authenticated users' from the list (first unticking "allow inheritable permissions..."
    6) Use GP modelling tool again to verify the software is no longer assigned to this computer
    7) Now add back the test security group to the software installation in the GPO.

    Tadaa - the group policy modelling tool should show the software application being assigned to the computer in question, but it doesn't.
    I don't want to oversimplify at this point, but to write-out everything I have done to test and solve this problem would take an age.

    Suffice to say I have delved deeply into ensuring that permission inheritance on SYSVOL folders is correct, and that GPMC correctly verifies permission synchronisation between Active Directory database objects and SYSVOL.

    I have virtualised our two DCs in order to do some destructive testing, and still haven't solved it.

    Note, there are no other notable issues with the DCs that may affect this. For example, netdiag and dcdiag, sysvol frs replication, and Active Directory replication are all healthy.

    Background - at one point in the past, I had to rebuild SYSVOL using the burflags method. This went smoothly, and at first I thought this may have been the start of the above problem. However I have done so much validation of SYSVOL now that I am convinced the problem doesn't lie there, although I may be wrong.

    A friend suggested to me that I wireshark the unencrypted LDP traffic between DCs as a next step. I guess I could do, but....

    Does anyone have any ideas to throw my way?

    p.s. I don't want to use PSS!



  • #2
    Re: Help with security group filtering software installations in a GPO

    Oh, I forgot to mention...

    If you then add back Authenticated Users to the ACL list of the software deployment itself (within the GPO), the GP Modelling tool still does not show the software installation. I have checked that Authenticated Users has the correct permissions (list contents, read all properties, read permissions).

    The only way to get GP Modelling to show the software package again is to reset the software installation's ACL list to defaults (i.e. security tab > advanced > default), which also resets the inheritance attribute.

    To conclude, there must be something special happening when you click that 'default' button, something that simply cannot be replicated by adding the permissions manually.

    I have put a filemon trace on the actions of changing permissions, but this doesn't throw up anything useful.

    *tears hair out*


    • #3
      Re: Help with security group filtering software installations in a GPO

      Does anybody have any suggestions regarding this problem? I still haven't got to the bottom of it. Thanks.


      • #4
        Re: Help with security group filtering software installations in a GPO

        Sounds like you've done quite an exhaustive search on the subject (and taught me a few things in the process ).

        While I have no direct answer to your problem, I can suggest where you might want to turn to:

        Jeremy Moskowitz (as you probably already know) is a giant in the AD GPO field. Specifically, you might want to try and ask the question at their community forum:

        And let us know how things turn out!
        Wesley David
        LinkedIn | Careers 2.0
        Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
        Vendor Neutral Certifications: CWNA
        Blog: || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
        Goofy kitten avatar photo from Troy Snow:


        • #5
          Re: Help with security group filtering software installations in a GPO

          Thanks for the link there...

          Still haven't got to the bottom of the problem (I've left it for more important things in the meantime but will need to solve it soon!)

          Just posted this on the Moskowitz forum too.

          I'm about to call product support - nooooo!


          • #6
            Re: Help with security group filtering software installations in a GPO

            @Nonapeptide - Thank you for posting about
            Awesome website.
            MCSE : Windows Server 2003