Administrative installs blocked by GPO

[Tim]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I am having an issue with a GPO set to an OU that should be blocking user
installs but, instead blocks all installs even when Domain, Enterprise Admins
and a Technician group have been set to not have the policy apply. The
Disable Windows Installer is Enabled under the Computer settings that is the
root of my issue forcing me to move a machine out of the OU in order to
install anything. It has become a torn in our sides when you are trying to do
updates and install Anti-virus programs and the like to have to wait
replication out or force it and have a machine reboot. If anyone has some
help on this subject it would be appreciated. To note- No other policy about
this (it is the Domain level) have any settings that would effect this and no
other policy is linked to this OU.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Since this is a computer configuration setting it will apply to all users.
If you can configure what you want to accomplish in user configuration, then
you can exempt specific users/groups with Group Policy filtering. Usually a
better approach is to simply use Software Installation policy to either
assign/publish authorized .msi packages to users/computers. This works well
if the domain users are NOT local administrators of their computers. If they
are then you will have a much more difficult time trying to accomplish what
you want unless the workstations are XP Pro in which case you can use
Software Restriction Policies/user configuration and configure the
enforcement rule to include local administrators. Unfortunately Windows 2003
domain is needed for SRP in user configuration though you can manage
SRP/computer configuration in a Windows 2000 domain.--- Steve


"Tim" <Tim@discussions.microsoft.com> wrote in message
news:5D70470E-3CDB-4998-9500-709869B2CC71@microsoft.com...
>I am having an issue with a GPO set to an OU that should be blocking user
> installs but, instead blocks all installs even when Domain, Enterprise
> Admins
> and a Technician group have been set to not have the policy apply. The
> Disable Windows Installer is Enabled under the Computer settings that is
> the
> root of my issue forcing me to move a machine out of the OU in order to
> install anything. It has become a torn in our sides when you are trying to
> do
> updates and install Anti-virus programs and the like to have to wait
> replication out or force it and have a machine reboot. If anyone has some
> help on this subject it would be appreciated. To note- No other policy
> about
> this (it is the Domain level) have any settings that would effect this and
> no
> other policy is linked to this OU.

 

[Tim]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have those policies in place but, they are mostly in effective since I
would be constantly updating the policy to include new *.exe packages as we
find them. I got to this point because we had to recreate the GPO. Since it
has been rebuild the machine policy has been a sticking point in rolling out
programs via automative service. So now I am trying to figure out what
happned to allow it that is not turned on to allow it. If there is any
direction you can provide I would really appreciate it.

"Steven L Umbach" wrote:

> Since this is a computer configuration setting it will apply to all users.
> If you can configure what you want to accomplish in user configuration, then
> you can exempt specific users/groups with Group Policy filtering. Usually a
> better approach is to simply use Software Installation policy to either
> assign/publish authorized .msi packages to users/computers. This works well
> if the domain users are NOT local administrators of their computers. If they
> are then you will have a much more difficult time trying to accomplish what
> you want unless the workstations are XP Pro in which case you can use
> Software Restriction Policies/user configuration and configure the
> enforcement rule to include local administrators. Unfortunately Windows 2003
> domain is needed for SRP in user configuration though you can manage
> SRP/computer configuration in a Windows 2000 domain.--- Steve
>
>
> "Tim" <Tim@discussions.microsoft.com> wrote in message
> news:5D70470E-3CDB-4998-9500-709869B2CC71@microsoft.com...
> >I am having an issue with a GPO set to an OU that should be blocking user
> > installs but, instead blocks all installs even when Domain, Enterprise
> > Admins
> > and a Technician group have been set to not have the policy apply. The
> > Disable Windows Installer is Enabled under the Computer settings that is
> > the
> > root of my issue forcing me to move a machine out of the OU in order to
> > install anything. It has become a torn in our sides when you are trying to
> > do
> > updates and install Anti-virus programs and the like to have to wait
> > replication out or force it and have a machine reboot. If anyone has some
> > help on this subject it would be appreciated. To note- No other policy
> > about
> > this (it is the Domain level) have any settings that would effect this and
> > no
> > other policy is linked to this OU.
>
>
>