Publishing/Assigning Applications

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I am at an impass. I have done the following.

Created a Network Sharepoint
Ran and Administrative Setup of an application and placed it there.
Created a security group and placed an XP computer in it.
Created a new group policy below the default policy
Under computer setup to assign an application and placed the security group
in it.
Rebooted XP computer and watched the application being installed on it.

Now here is my issue. I want the abilty to remove the application by
removing the computer from the security group, but it does not work. I have
the box checked to remove application if it falls out of scope, but when I
remove the computer it does not remove the applicaiton. If I delete the
entire security group it does remove the application from the workstation,
but if I do that then I remove it from more then one computer..

Any help would be appreciated.

Thanks
3 answers Last reply
More about publishing assigning applications
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    I think where you erred was in creating the software policy right below the
    default domain policy. If I'm getting this right, you applied the software
    to the entire domain.

    If you want to selectively install the software, you can do so by creating
    an OU (right click the domain in Users & Computers and go New>Organizational
    Unit), name it. Drop the actual computer object in said OU (not a security
    group as GPO's don't apply to security groups, only actual objects). Create
    your software policy AT that OU level by right clicking the OU, and creating
    the policy. From there, the computer will be within the scope of influence,
    and the computer will receive the policy. If you want to remove the
    'package' when the computer leaves the scope of influence, click the box.
    The software will be (should at least) removed when you move the computer
    object out of that OU.

    You CAN use security groups to filter the GPO's within an OU.... say you
    have an OU for "All of Our Computers" and placed all of the computer objects
    in there. Apply a software package for say Office 2003 to it. You don't
    want the Accounting department to get the package yet. Make a security group
    with Accounting's computers in it, then go to the security tab on the GPO
    object, add Accounting_Computers (or whatever you named the security group)
    and give them DENY permissions. That's the only way that security groups
    would function with GPO's--security/distribution groups don't fall within
    the scope of influence.

    Good luck... post back if you have questions---

    Ken


    "CurtisC" <CurtisC@discussions.microsoft.com> wrote in message
    news:BA297112-6252-45E9-A7EA-7A4CE769D3FE@microsoft.com...
    > I am at an impass. I have done the following.
    >
    > Created a Network Sharepoint
    > Ran and Administrative Setup of an application and placed it there.
    > Created a security group and placed an XP computer in it.
    > Created a new group policy below the default policy
    > Under computer setup to assign an application and placed the security
    group
    > in it.
    > Rebooted XP computer and watched the application being installed on it.
    >
    > Now here is my issue. I want the abilty to remove the application by
    > removing the computer from the security group, but it does not work. I
    have
    > the box checked to remove application if it falls out of scope, but when I
    > remove the computer it does not remove the applicaiton. If I delete the
    > entire security group it does remove the application from the workstation,
    > but if I do that then I remove it from more then one computer..
    >
    > Any help would be appreciated.
    >
    > Thanks
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Just wanted to follow up on this and thank you for the assistance. It works.

    Thanks.

    "Ken B" wrote:

    > I think where you erred was in creating the software policy right below the
    > default domain policy. If I'm getting this right, you applied the software
    > to the entire domain.
    >
    > If you want to selectively install the software, you can do so by creating
    > an OU (right click the domain in Users & Computers and go New>Organizational
    > Unit), name it. Drop the actual computer object in said OU (not a security
    > group as GPO's don't apply to security groups, only actual objects). Create
    > your software policy AT that OU level by right clicking the OU, and creating
    > the policy. From there, the computer will be within the scope of influence,
    > and the computer will receive the policy. If you want to remove the
    > 'package' when the computer leaves the scope of influence, click the box.
    > The software will be (should at least) removed when you move the computer
    > object out of that OU.
    >
    > You CAN use security groups to filter the GPO's within an OU.... say you
    > have an OU for "All of Our Computers" and placed all of the computer objects
    > in there. Apply a software package for say Office 2003 to it. You don't
    > want the Accounting department to get the package yet. Make a security group
    > with Accounting's computers in it, then go to the security tab on the GPO
    > object, add Accounting_Computers (or whatever you named the security group)
    > and give them DENY permissions. That's the only way that security groups
    > would function with GPO's--security/distribution groups don't fall within
    > the scope of influence.
    >
    > Good luck... post back if you have questions---
    >
    > Ken
    >
    >
    > "CurtisC" <CurtisC@discussions.microsoft.com> wrote in message
    > news:BA297112-6252-45E9-A7EA-7A4CE769D3FE@microsoft.com...
    > > I am at an impass. I have done the following.
    > >
    > > Created a Network Sharepoint
    > > Ran and Administrative Setup of an application and placed it there.
    > > Created a security group and placed an XP computer in it.
    > > Created a new group policy below the default policy
    > > Under computer setup to assign an application and placed the security
    > group
    > > in it.
    > > Rebooted XP computer and watched the application being installed on it.
    > >
    > > Now here is my issue. I want the abilty to remove the application by
    > > removing the computer from the security group, but it does not work. I
    > have
    > > the box checked to remove application if it falls out of scope, but when I
    > > remove the computer it does not remove the applicaiton. If I delete the
    > > entire security group it does remove the application from the workstation,
    > > but if I do that then I remove it from more then one computer..
    > >
    > > Any help would be appreciated.
    > >
    > > Thanks
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Ken,

    Good advice!

    Just a few in-line comments.....

    "Ken B" <none@microsoft.com> wrote in message
    news:%23E5QQEynEHA.132@TK2MSFTNGP09.phx.gbl...
    > I think where you erred was in creating the software policy right below
    the
    > default domain policy. If I'm getting this right, you applied the
    software
    > to the entire domain.


    Possibly he erred in that he put the computer account object in the security
    group and not directly in the OU ( as you so aptly stated ). There would
    not really be any problem creating a GPO that is below the Default Domain
    Policy. It would simply be applied before the Default Domain Policy and
    would affect everyone! Probably not what he wanted!


    >
    > If you want to selectively install the software, you can do so by creating
    > an OU (right click the domain in Users & Computers and go
    New>Organizational
    > Unit), name it. Drop the actual computer object in said OU (not a
    security
    > group as GPO's don't apply to security groups, only actual objects).
    Create
    > your software policy AT that OU level by right clicking the OU, and
    creating
    > the policy.

    Actually, you are not creating the GPO there AT the OU. But I know that you
    now know this. Once you give the GPO a friendly name you have done three
    things: #1) created the Group Policy Template - or GPT ( which resides
    initially in the shared SYSVOL folder on the DC that holds the FSMO Role of
    PDC Emulator - well, at least by default and assuming that it is available
    at the time the you are creating this GPO ); #2) created the Group Policy
    Container - or GPC ( which resides in the Active Directory Database ) and
    #3) created a link for the GPO to the object where you 'created' it ( in
    this case the OU-level, specifically the OU 'Office2003' - or whatever named
    the OU ).

    > From there, the computer will be within the scope of influence,
    > and the computer will receive the policy. If you want to remove the
    > 'package' when the computer leaves the scope of influence, click the box.
    > The software will be (should at least) removed when you move the computer
    > object out of that OU.


    Excellent point! Many many many people overlook this. There is indeed a
    checkbox that you would need to check. The text is something to the effect
    of "Remove this Package when the object falls out of the Scope of Influence
    of this Policy". Or whatever it might actually be. If you fail to check
    this box then you can remove the link to the OU - or move the object out of
    the OU to which the GPO is linked - and nothing will happen ( meaning, that
    the application will not be removed ).

    Now, this brings up a good point ( one that I seem to be making with greater
    frequency lately! This is a good thing! ) about how do your remove a GPO
    ( let's assume that it is linked to an OU and that it is configured on the
    user configuration side of things ). When you click on the friendly name of
    the GPO in question and then click on the Delete... button you are presented
    with two choices: remove the link or remove the link and the GPO. Which
    one do you do? Well, if you want the application to no longer affect users
    in said OU then you would simply choose the first one. Then, at the next
    log off and log on all of the affected users would notice the somewhat scary
    'Removing managed software installation of office 2003' dialog box ( similar
    to what they say when the GPO was first created ). There will be no more
    Office 2003 for those users! NOTE: You might want to use the WIN2003
    version of remove2k.exe ( if such a creature exists! jsut to remove those
    extra 15 - 20MBs of files and registry settings that the uninstall does not
    get! Or, does Office XP and Office 2003 take care of this by itself? ). If
    you choose the second choice then the application will not be uninstalled
    ( because they did not receive any notification ).

    >
    > You CAN use security groups to filter the GPO's within an OU.... say you
    > have an OU for "All of Our Computers" and placed all of the computer
    objects
    > in there. Apply a software package for say Office 2003 to it. You don't
    > want the Accounting department to get the package yet. Make a security
    group
    > with Accounting's computers in it, then go to the security tab on the GPO
    > object, add Accounting_Computers (or whatever you named the security
    group)
    > and give them DENY permissions. That's the only way that security groups
    > would function with GPO's--security/distribution groups don't fall within
    > the scope of influence.


    Yes, very good! The thing to understand is that, by defualt, the
    Authenticated Users security group is given both the READ and APPLY GROUP
    POLICY rights. You would need to either use a Security Group that consists
    of objects that you do not want to get this GPO and apply the DENY to the
    READ right - OR - you can simply create a security group that contains all
    of the objects that you want to be affected by this GPO, remove the
    Authenticated Users group and then apply both the READ and APPLY GROUP
    POLICY rights to that group. I generally prefer this method as the DENY
    method leaves errors in the EventIds. However, if you have 350 users that
    are to be affected and 5 that are not.........

    >
    > Good luck... post back if you have questions---
    >
    > Ken


    Cary


    >
    >
    > "CurtisC" <CurtisC@discussions.microsoft.com> wrote in message
    > news:BA297112-6252-45E9-A7EA-7A4CE769D3FE@microsoft.com...
    > > I am at an impass. I have done the following.
    > >
    > > Created a Network Sharepoint
    > > Ran and Administrative Setup of an application and placed it there.
    > > Created a security group and placed an XP computer in it.
    > > Created a new group policy below the default policy
    > > Under computer setup to assign an application and placed the security
    > group
    > > in it.
    > > Rebooted XP computer and watched the application being installed on it.
    > >
    > > Now here is my issue. I want the abilty to remove the application by
    > > removing the computer from the security group, but it does not work. I
    > have
    > > the box checked to remove application if it falls out of scope, but when
    I
    > > remove the computer it does not remove the applicaiton. If I delete the
    > > entire security group it does remove the application from the
    workstation,
    > > but if I do that then I remove it from more then one computer..
    > >
    > > Any help would be appreciated.
    > >
    > > Thanks
    >
    >
Ask a new question

Read More

Security Computers Windows