Using Group Policy to give install permission

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I know nothing about how to use or apply group policy, but I very much need
to learn. I would like a link to a Microsoft article that gives a good basic
step up to using it. Also, I have a network with mixed Windows 2000 and XP
Pro machines. Many of the machines are set up with Restricted accounts.
However, I need them to be able to install Windows updates, and updates to an
active control that is a part of Crystal Reports. How can I go about learning
to allow this with group policy? Thanks !
--
Scott F
4 answers Last reply
More about using group policy give install permission
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Scott,

    My web sites will ( once I have them finished ) will be a good start (
    shameless self promotion! ).

    You might want to look at SUS for the installation of the Updates. That is
    really the way to go. There is a SUS newsgroup if you need help there.
    Microsoft has a really nice white paper on how to do this.

    Restricted Groups is a really good way to control things. I promote it
    where it makes sense ( just about everywhere )!

    Have you done a google search for Group Policy? There are also some other
    web sites out there. Darren Mar-Elia has a nice one at
    http://www.gpoguy.com and Jerry Moskowitz has an updated web site at
    http://www.gpoanswers.com. Then there is the Microsoft web site.

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Scott Ford" <removethis.scott@starlite-entertainment.com> wrote in message
    news:32D237BD-E89E-4156-BB8F-DAF27A93F61B@microsoft.com...
    >I know nothing about how to use or apply group policy, but I very much need
    > to learn. I would like a link to a Microsoft article that gives a good
    > basic
    > step up to using it. Also, I have a network with mixed Windows 2000 and XP
    > Pro machines. Many of the machines are set up with Restricted accounts.
    > However, I need them to be able to install Windows updates, and updates to
    > an
    > active control that is a part of Crystal Reports. How can I go about
    > learning
    > to allow this with group policy? Thanks !
    > --
    > Scott F
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Yes, actually I have searched in Google, and I have read some of the things
    that came up. It seems that articles that are recommended by others usually
    contain more applicable material, so I always ask to see what others have
    read. I'm assuming, but not certain that Group policy settings on my Windows
    2K Adv Server will still apply to the XP machines, and I am not finding
    anything about how to use Group Policy to allow only a specific program to be
    installed. Thanks for your post, I still want to read over the sites you
    listed. I have not looked into SUS, because just worrying about learning
    group policy seems like a mountain at the moment, with the 27 projects that
    all need completed at once.. ahhhhh, life in IT is grand, ain't it ;-).

    "Cary Shultz [A.D. MVP]" wrote:

    > Scott,
    >
    > My web sites will ( once I have them finished ) will be a good start (
    > shameless self promotion! ).
    >
    > You might want to look at SUS for the installation of the Updates. That is
    > really the way to go. There is a SUS newsgroup if you need help there.
    > Microsoft has a really nice white paper on how to do this.
    >
    > Restricted Groups is a really good way to control things. I promote it
    > where it makes sense ( just about everywhere )!
    >
    > Have you done a google search for Group Policy? There are also some other
    > web sites out there. Darren Mar-Elia has a nice one at
    > http://www.gpoguy.com and Jerry Moskowitz has an updated web site at
    > http://www.gpoanswers.com. Then there is the Microsoft web site.
    >
    > --
    > Cary W. Shultz
    > Roanoke, VA 24014
    > Microsoft Active Directory MVP
    >
    > http://www.activedirectory-win2000.com
    > http://www.grouppolicy-win2000.com
    >
    >
    >
    > "Scott Ford" <removethis.scott@starlite-entertainment.com> wrote in message
    > news:32D237BD-E89E-4156-BB8F-DAF27A93F61B@microsoft.com...
    > >I know nothing about how to use or apply group policy, but I very much need
    > > to learn. I would like a link to a Microsoft article that gives a good
    > > basic
    > > step up to using it. Also, I have a network with mixed Windows 2000 and XP
    > > Pro machines. Many of the machines are set up with Restricted accounts.
    > > However, I need them to be able to install Windows updates, and updates to
    > > an
    > > active control that is a part of Crystal Reports. How can I go about
    > > learning
    > > to allow this with group policy? Thanks !
    > > --
    > > Scott F
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    There are really only a couple of things that you need to know for Group
    Policy. Then there are the little details. If you get the big details then
    you can figure most things out.

    You might want to do a search in this news group as well as in the active
    directory news group for some of my posts. Use something like 'computer
    configuration' as the search parameter. You might also want to look about
    three months ago...I was a bit absent from here for a 'brief' period of
    time....

    I will give you the basics in another thread in a bit. Time to eat diner
    with the Mrs. right now.

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Scott Ford" <removethis.scott@starlite-entertainment.com> wrote in message
    news:9738EB90-7A2F-4605-91B3-4DFC45DA6A00@microsoft.com...
    > Yes, actually I have searched in Google, and I have read some of the
    > things
    > that came up. It seems that articles that are recommended by others
    > usually
    > contain more applicable material, so I always ask to see what others have
    > read. I'm assuming, but not certain that Group policy settings on my
    > Windows
    > 2K Adv Server will still apply to the XP machines, and I am not finding
    > anything about how to use Group Policy to allow only a specific program to
    > be
    > installed. Thanks for your post, I still want to read over the sites you
    > listed. I have not looked into SUS, because just worrying about learning
    > group policy seems like a mountain at the moment, with the 27 projects
    > that
    > all need completed at once.. ahhhhh, life in IT is grand, ain't it ;-).
    >
    > "Cary Shultz [A.D. MVP]" wrote:
    >
    >> Scott,
    >>
    >> My web sites will ( once I have them finished ) will be a good start (
    >> shameless self promotion! ).
    >>
    >> You might want to look at SUS for the installation of the Updates. That
    >> is
    >> really the way to go. There is a SUS newsgroup if you need help there.
    >> Microsoft has a really nice white paper on how to do this.
    >>
    >> Restricted Groups is a really good way to control things. I promote it
    >> where it makes sense ( just about everywhere )!
    >>
    >> Have you done a google search for Group Policy? There are also some
    >> other
    >> web sites out there. Darren Mar-Elia has a nice one at
    >> http://www.gpoguy.com and Jerry Moskowitz has an updated web site at
    >> http://www.gpoanswers.com. Then there is the Microsoft web site.
    >>
    >> --
    >> Cary W. Shultz
    >> Roanoke, VA 24014
    >> Microsoft Active Directory MVP
    >>
    >> http://www.activedirectory-win2000.com
    >> http://www.grouppolicy-win2000.com
    >>
    >>
    >>
    >> "Scott Ford" <removethis.scott@starlite-entertainment.com> wrote in
    >> message
    >> news:32D237BD-E89E-4156-BB8F-DAF27A93F61B@microsoft.com...
    >> >I know nothing about how to use or apply group policy, but I very much
    >> >need
    >> > to learn. I would like a link to a Microsoft article that gives a good
    >> > basic
    >> > step up to using it. Also, I have a network with mixed Windows 2000 and
    >> > XP
    >> > Pro machines. Many of the machines are set up with Restricted accounts.
    >> > However, I need them to be able to install Windows updates, and updates
    >> > to
    >> > an
    >> > active control that is a part of Crystal Reports. How can I go about
    >> > learning
    >> > to allow this with group policy? Thanks !
    >> > --
    >> > Scott F
    >>
    >>
    >>
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Scott,

    Let's start off with the basics. That is always a really good place to
    start.

    Group Policy is simply ( well, not always so simple! ) a way to make a
    configuration setting in one location ( on a Domain Controller ) that
    affects a whole lot of other things ( either user account objects or
    computer account objects or both! ). In other words, you make the setting
    in one place and from this one place the setting is applied to all of those
    other 'things'. No more needing to go from computer to computer to
    computer! This is very good!

    Okay, how do we do this? What infrastructure needs to be in place for me to
    do this?

    First and foremost make sure that DNS is set up properly. What this
    typically means is that all of your clients point only to one or more of
    your internal DNS Servers and not to your ISP's DNS Server ( or any other
    external DNS Server ). Internal means that it is part of your network and
    external means that it is not part of your network. If DNS is not correct
    then things get really messy! First and foremost, make sure that DNS is
    correct.

    You need to have Organizational Units. By default, when you install WIN2000
    Active Directory there is only one Organizational Unit: Domain Controllers.
    The others are simple containers. In this sense you can not link a GPO to a
    container ( again, not really entirely accurate. We will see why in a
    moment ).

    Your user account objects or computer account objects must directly reside
    in the Organizational Unit to which you linked the GPO. Many people seem to
    think that they can leave the user account objects in the default USERS
    container, create a security group in the desired OU ( after having created
    the OU ), populate said security group with user or computer account objects
    and then link a GPO to that OU ( the one that contains the security group ).
    The GPO will not work!

    Okay, what do we have so far?

    1. DNS, DNS, DNS
    2. Organizational Unit
    3. Users or computers must directly reside in the OU to which the GPO is
    linked


    Okay, let's say that you have DNS all under control; you have created an OU
    and you have moved the desired user account objects into that OU. Now what?

    In Active Directory Users and Computers right click the OU in question and
    select Properties. Then, go to the last tab named Group Policy. Click on
    the New... button. Give it a name. Let's call it "Remove the Display Tab".
    Congratulations. You just created your first Group Policy! Huh? But I did
    not do much. Well, that is true. But you have created the GPO. Granted,
    it is blank. But you have created it nonetheless!

    So, what did you just do?

    By the time you gave it the name of "Remove the Display Tab' several things
    happened. On the Domain Controller that holds the FSMO Role of PDC Emulator
    ( well, this is the default ) you created the two halves of the GPO. Yep!
    There are two halves. There is the one half that lives in the SYSVOL folder
    ( called the Group Policy Template, or GPT ) and there is the other half
    that lives in Active Directory ( called the Group Policy Container, or
    GPC ).

    When you go back to this GPO you would need to click on the Edit... button
    to make the actual settings. But that, for the moment, is secondary to what
    is going on.

    So, what in the world are the GPT and the GPC?

    The GPT is the part that lives within the shared SYSVOL on your Domain
    Controllers. If you follow the default location of
    c:\WINNT\sysvol\SYSVOL\yourdomain.com\Policies you will find that you have -
    upon installation of Active Directory - just two GPOs: the Default Domain
    Policy ( or DDP ) and the Default Domain Controllers Policy ( or DDCP ).
    Well, you do not really know this by looking inside the Policies folder.
    All you see is a bunch of funny looking folders. The one with the name of
    31B2F340-xxxx-xxxx-xxxx-00C04fB984F9 is the DDP and the one with the name of
    6AC1786C-xxxx-xxxx-xxxx-00C04fB984F9 is the DDCP. Gosh, I hope that I did
    not just make myself look stupid by using the incorrect names. Going from
    memory. So, because you created your 'Remove the Display Tab' policy you
    will now see a third folder in there with a similar looking name. We are
    not going to worry about what is inside these folders at the moment ( if at
    all! ). These policies will replicate to all Domain Controllers in THAT
    domain. And that replication happens via NTFRS.

    The GPC is that part that lives inside the Active Directory. Specifically
    in the Domain Naming Context, or Domain Partition. A quick digression:
    there are three partitions of Active Directory: the Schema NC, the
    Configuration NC and the Domain NC. The first two NCs are replicated to all
    Domain Controllers in the entire Forest. The Domain NC is replicated to all
    Domain Controllers in the Domain. This replication happens via Active
    Directory Replication. There are two kinds of AD replication: intra-site
    and inter-site. We will not worry about that yet ( if at all! ). How do
    you look at this? Install the Support Tools from the Service Pack CD Media
    or download and install from the MS web site. Then fire up ADSIEdit. You
    could also use ldp but ADSIEdit would be better! All of this will make
    more sense if you take a look. But, you might want to install WIN2000
    Server on a test system separate from your network and mess around
    there....You can do some serious damage here!!!!

    Okay. So I now know about the basic internal things. Or, what is going on
    under the hood, right? Well, there is a little bit more.

    You can see that you can create a GPO and link it to several levels. I was
    using the Organizational Unit level as this is the most common. There are
    three others, however. The levels are Local, Site, Domain and OU. This
    also is the pecking order. Huh? Well, the order in which they are
    processed. So, any local GPOs would be processed. Then any Site level GPOs
    would be processed. Following that would be the Domain level GPOs. A
    little digression: I mentioned in the very beginning that you can not link
    GPOs to containers. I then wrote that this was not entirely correct.
    Linking a GPO to the Site level or to the Domain level is actually linking a
    GPO to a container! However, Site level GPOs are not used all that much (
    well, normally speaking ). Usually Domain level GPOs are not used, either
    ( except the Password Policy.....which must be set at the Domain level ).
    Okay, back to the discussion. Finally, any GPOs linked to the OU level are
    processed.

    Okay. You are probably thinking to yourself: what happens if I have several
    GPOs linked to the same level? What happens there? Which one is processed
    first and which one is processed last? And in terms of conflict, which one
    wins? When you are looking in the Group Policy Editor ( er, when you right
    click the OU, select Properties and then go to the Group Policy tab ) the
    GPO that is listed at the bottom is the one that is processed first. The
    one above that is processed second and the one at the top is processed last.
    Now, in the event of a conflict ( meaning, one GPO has a setting configured
    to X and another GPO has that same setting configured to Y ) the last GPO
    processed wins. So, the one at or nearest to the top wins!

    But, I have written that there are two sides: the computer configuration and
    the user configuration. This is true. There are the two sides. So, what
    happens there? Well, normally at boot up the GPOs that are linked to the
    container in which the computer account objects directly reside are
    processed ( in the pecking order that I have already described ). You are
    then prompted for a user name and password. You supply a user name and
    password. The GPOs that are linked to the container in which this specific
    user account object directly resides are processed ( again, in the pecking
    order that I have already described ). So, why did I use the term
    'container'? Because of the possibility that you might have Site level and
    Domain level ( which you have for sure....the DDP ) GPOs.

    I left off a lot. However, there is already enough information to digest.
    And this is just the bare basics. But once you get this the rest is pretty
    simple. Did I talk about Block Inheritance? No. Did I talk about
    disabling one half of the GPO? No. Did I talk about Group Filtering? No.
    Did I talk about all the specific settings that are available? No. Did I
    talk about software deployment? No. There are several more things that I
    did not discuss right now. But, again, there is already a ton of important
    information in here.

    Hope that this gets you started!

    --
    Cary W. Shultz
    Roanoke, VA 24014
    Microsoft Active Directory MVP

    http://www.activedirectory-win2000.com
    http://www.grouppolicy-win2000.com


    "Scott Ford" <removethis.scott@starlite-entertainment.com> wrote in message
    news:9738EB90-7A2F-4605-91B3-4DFC45DA6A00@microsoft.com...
    > Yes, actually I have searched in Google, and I have read some of the
    > things
    > that came up. It seems that articles that are recommended by others
    > usually
    > contain more applicable material, so I always ask to see what others have
    > read. I'm assuming, but not certain that Group policy settings on my
    > Windows
    > 2K Adv Server will still apply to the XP machines, and I am not finding
    > anything about how to use Group Policy to allow only a specific program to
    > be
    > installed. Thanks for your post, I still want to read over the sites you
    > listed. I have not looked into SUS, because just worrying about learning
    > group policy seems like a mountain at the moment, with the 27 projects
    > that
    > all need completed at once.. ahhhhh, life in IT is grand, ain't it ;-).
    >
    > "Cary Shultz [A.D. MVP]" wrote:
    >
    >> Scott,
    >>
    >> My web sites will ( once I have them finished ) will be a good start (
    >> shameless self promotion! ).
    >>
    >> You might want to look at SUS for the installation of the Updates. That
    >> is
    >> really the way to go. There is a SUS newsgroup if you need help there.
    >> Microsoft has a really nice white paper on how to do this.
    >>
    >> Restricted Groups is a really good way to control things. I promote it
    >> where it makes sense ( just about everywhere )!
    >>
    >> Have you done a google search for Group Policy? There are also some
    >> other
    >> web sites out there. Darren Mar-Elia has a nice one at
    >> http://www.gpoguy.com and Jerry Moskowitz has an updated web site at
    >> http://www.gpoanswers.com. Then there is the Microsoft web site.
    >>
    >> --
    >> Cary W. Shultz
    >> Roanoke, VA 24014
    >> Microsoft Active Directory MVP
    >>
    >> http://www.activedirectory-win2000.com
    >> http://www.grouppolicy-win2000.com
    >>
    >>
    >>
    >> "Scott Ford" <removethis.scott@starlite-entertainment.com> wrote in
    >> message
    >> news:32D237BD-E89E-4156-BB8F-DAF27A93F61B@microsoft.com...
    >> >I know nothing about how to use or apply group policy, but I very much
    >> >need
    >> > to learn. I would like a link to a Microsoft article that gives a good
    >> > basic
    >> > step up to using it. Also, I have a network with mixed Windows 2000 and
    >> > XP
    >> > Pro machines. Many of the machines are set up with Restricted accounts.
    >> > However, I need them to be able to install Windows updates, and updates
    >> > to
    >> > an
    >> > active control that is a part of Crystal Reports. How can I go about
    >> > learning
    >> > to allow this with group policy? Thanks !
    >> > --
    >> > Scott F
    >>
    >>
    >>
Ask a new question

Read More

Policy Microsoft Windows