Archived from groups: microsoft.public.win2000.group_policy (
More info?)
Ken,
Good advice!
Just a few in-line comments.....
"Ken B" <none@microsoft.com> wrote in message
news:%23E5QQEynEHA.132@TK2MSFTNGP09.phx.gbl...
> I think where you erred was in creating the software policy right below
the
> default domain policy. If I'm getting this right, you applied the
software
> to the entire domain.
Possibly he erred in that he put the computer account object in the security
group and not directly in the OU ( as you so aptly stated ). There would
not really be any problem creating a GPO that is below the Default Domain
Policy. It would simply be applied before the Default Domain Policy and
would affect everyone! Probably not what he wanted!
>
> If you want to selectively install the software, you can do so by creating
> an OU (right click the domain in Users & Computers and go
New>Organizational
> Unit), name it. Drop the actual computer object in said OU (not a
security
> group as GPO's don't apply to security groups, only actual objects).
Create
> your software policy AT that OU level by right clicking the OU, and
creating
> the policy.
Actually, you are not creating the GPO there AT the OU. But I know that you
now know this. Once you give the GPO a friendly name you have done three
things: #1) created the Group Policy Template - or GPT ( which resides
initially in the shared SYSVOL folder on the DC that holds the FSMO Role of
PDC Emulator - well, at least by default and assuming that it is available
at the time the you are creating this GPO ); #2) created the Group Policy
Container - or GPC ( which resides in the Active Directory Database ) and
#3) created a link for the GPO to the object where you 'created' it ( in
this case the OU-level, specifically the OU 'Office2003' - or whatever named
the OU ).
> From there, the computer will be within the scope of influence,
> and the computer will receive the policy. If you want to remove the
> 'package' when the computer leaves the scope of influence, click the box.
> The software will be (should at least) removed when you move the computer
> object out of that OU.
Excellent point! Many many many people overlook this. There is indeed a
checkbox that you would need to check. The text is something to the effect
of "Remove this Package when the object falls out of the Scope of Influence
of this Policy". Or whatever it might actually be. If you fail to check
this box then you can remove the link to the OU - or move the object out of
the OU to which the GPO is linked - and nothing will happen ( meaning, that
the application will not be removed ).
Now, this brings up a good point ( one that I seem to be making with greater
frequency lately! This is a good thing! ) about how do your remove a GPO
( let's assume that it is linked to an OU and that it is configured on the
user configuration side of things ). When you click on the friendly name of
the GPO in question and then click on the Delete... button you are presented
with two choices: remove the link or remove the link and the GPO. Which
one do you do? Well, if you want the application to no longer affect users
in said OU then you would simply choose the first one. Then, at the next
log off and log on all of the affected users would notice the somewhat scary
'Removing managed software installation of office 2003' dialog box ( similar
to what they say when the GPO was first created ). There will be no more
Office 2003 for those users! NOTE: You might want to use the WIN2003
version of remove2k.exe ( if such a creature exists! jsut to remove those
extra 15 - 20MBs of files and registry settings that the uninstall does not
get! Or, does Office XP and Office 2003 take care of this by itself? ). If
you choose the second choice then the application will not be uninstalled
( because they did not receive any notification ).
>
> You CAN use security groups to filter the GPO's within an OU.... say you
> have an OU for "All of Our Computers" and placed all of the computer
objects
> in there. Apply a software package for say Office 2003 to it. You don't
> want the Accounting department to get the package yet. Make a security
group
> with Accounting's computers in it, then go to the security tab on the GPO
> object, add Accounting_Computers (or whatever you named the security
group)
> and give them DENY permissions. That's the only way that security groups
> would function with GPO's--security/distribution groups don't fall within
> the scope of influence.
Yes, very good! The thing to understand is that, by defualt, the
Authenticated Users security group is given both the READ and APPLY GROUP
POLICY rights. You would need to either use a Security Group that consists
of objects that you do not want to get this GPO and apply the DENY to the
READ right - OR - you can simply create a security group that contains all
of the objects that you want to be affected by this GPO, remove the
Authenticated Users group and then apply both the READ and APPLY GROUP
POLICY rights to that group. I generally prefer this method as the DENY
method leaves errors in the EventIds. However, if you have 350 users that
are to be affected and 5 that are not.........
>
> Good luck... post back if you have questions---
>
> Ken
Cary
>
>
> "CurtisC" <CurtisC@discussions.microsoft.com> wrote in message
> news:BA297112-6252-45E9-A7EA-7A4CE769D3FE@microsoft.com...
> > I am at an impass. I have done the following.
> >
> > Created a Network Sharepoint
> > Ran and Administrative Setup of an application and placed it there.
> > Created a security group and placed an XP computer in it.
> > Created a new group policy below the default policy
> > Under computer setup to assign an application and placed the security
> group
> > in it.
> > Rebooted XP computer and watched the application being installed on it.
> >
> > Now here is my issue. I want the abilty to remove the application by
> > removing the computer from the security group, but it does not work. I
> have
> > the box checked to remove application if it falls out of scope, but when
I
> > remove the computer it does not remove the applicaiton. If I delete the
> > entire security group it does remove the application from the
workstation,
> > but if I do that then I remove it from more then one computer..
> >
> > Any help would be appreciated.
> >
> > Thanks
>
>
Facebook
Twitter
Instagram