Announcement

Collapse
No announcement yet.

Deploying Apps through GPO to specific Security Groups

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Deploying Apps through GPO to specific Security Groups

    Hi, I'm new to this forum and fairly new to deploying apps through GPO. I have about 8 or 10 right now, but they are published to everyone through control panel. We are in the process of rolling out Office 2007 to my division but we cannot have everyone install it due to licenseing. I was hoping to assign the Office 2007 MSI to 1 specific security group, and then control who can install it via the members of that security group.

    Is this possible, and does anyone have any tips on how to get this done?

    Thanks

  • #2
    Re: Deploying Apps through GPO to specific Security Groups

    It is quite possible. You use GPO Security filtering. Simply remove the "Authenticated Users" group from the GPO's security permissions and then add the security group that you desire. This article seems targeted to what you want to do. A general Google search would be beneficial as well.

    Enjoy!
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

    Comment


    • #3
      Re: Deploying Apps through GPO to specific Security Groups

      Thanks, I just tried it and it's not working correctly. I actually need to change my original question a bit. We need to deploy the software to specific computers, not specific users.

      I created a blank GPO under the computers container, assigned a test security group to it with one computer name in it, and published the app under the computer / software section. When I log into that computer with normal user rights, I do not see the newly published app listed. Any ideas?

      Comment


      • #4
        Re: Deploying Apps through GPO to specific Security Groups

        Originally posted by petergriffon View Post
        Thanks, I just tried it and it's not working correctly. I actually need to change my original question a bit. We need to deploy the software to specific computers, not specific users.
        No worries. This article seems to indicate that what you want to do is entirely possible.

        Originally posted by petergriffon View Post
        I created a blank GPO under the computers container, assigned a test security group to it with one computer name in it, and published the app under the computer / software section.
        (Emphasis in quote is mine)

        I'm assuming that you really meant to say that you "assigned" the software rather than published it, correct? Software cna only be assigned to computers and not published. Sorry to pick at semantics.
        Wesley David
        LinkedIn | Careers 2.0
        -------------------------------
        Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
        Vendor Neutral Certifications: CWNA
        Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
        Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

        Comment


        • #5
          Re: Deploying Apps through GPO to specific Security Groups

          Yes, I do mean "assigning"...and it's almost working. Here's what I've done so far:
          • Created a test OU under computers called "Testing Assigned Apps"
          • Created a test Security Group called "Sec-Testing Assigned Apps"
          • Dropped my test laptop into the Testing Assigned Apps OU
          • Added my test laptop to the Sec-Testing Assigned Apps Security Group
          • Created a new GPO, linked to my Testing Assigned Apps OU
          • Removed Authenticated Users and added my test Security Group to the security filtering
          • "Assigned" an MSI package to Computer Configuration / Software Settings
          Here's the problem.
          Last night I had the GPO linked directly to the Computers OU, I had not created a test OU yet. When the computer booted up it went through applying computer settings, applying security policy, and then it said it was installing the software I assigned......but it never actually installs. I get to a login screen a few seconds later, log in, and nothing ever happens.

          This morning I decided I didn't want the GPO linked directly all of my computers, so I created the test OU. Now it's not doing anything when I boot up the computer....and I have 4 MSI packages assigned.

          Any other ideas

          Comment


          • #6
            Re: Deploying Apps through GPO to specific Security Groups

            Sounds like there is just a problem with your MSI if it didn't actually install. Check the Event Log for more info. Also try installing the MSI like normal, just to verify that it works.

            Nothing is probably happening this morning because the computer thinks it already has the GPO applied and installed. I like to use the option under the Advanced tab for the deployment package to tell it to uninstall when it falls out of the scope of management. That way you can change the permissions of the GPO, like that 404techsupport article pointed out, and refresh the policy to test again.

            Also, remember the command:
            gpupdate /force /boot
            to refresh the policy immediately.

            More good articles:
            http://www.404techsupport.com/2008/0...policy-basics/
            http://www.404techsupport.com/2008/0...advanced-info/

            Comment


            • #7
              Re: Deploying Apps through GPO to specific Security Groups

              Thanks, I'll give it a try a little later. Also, I know the 4 MSI's work fine. They are published to a GPO for users to install through add/remove programs. I'm just using them to test assigning apps.

              Comment


              • #8
                Re: Deploying Apps through GPO to specific Security Groups

                I just tested again with that box checked off and it's doing the same thing. When the computer boots up it goes through it's normal routine and then says installing assigned application - TESTING-Firefox V3.....then goes to installing assigned application - TESTIN-WebEx....and so on. It lists all 4 apps that I'm trying to assign, but nothing ever actually happens.

                Comment


                • #9
                  Re: Deploying Apps through GPO to specific Security Groups

                  OK, so I got it working. The problem was I was assigning the apps based on IP, not by FQDN. Once I assigned them by name, it started working like a charm.

                  I do have one more question though. Is there a way to have the package auto uninstall from the computer once it is removed from the security group associated with the GPO?

                  Comment


                  • #10
                    Re: Deploying Apps through GPO to specific Security Groups

                    if you open the properties of the assigned application, click the deployment tab along the top, and check the box that says "Uninstall this application when it falls out of the scope of management"

                    Hope this helps
                    Dave

                    Comment

                    Working...
                    X