Applying GPO only to certain computers within an OU.........

momo

Distinguished
Apr 30, 2004
5
0
18,510
Archived from groups: microsoft.public.win2000.group_policy (More info?)

We are in the process of deploying some software via GPO to computers
within an OU. The problem is we don't want to apply the software to all
machines within the OU.

So far what we've successfully done is create a Group and add computers
which we don't want the policy to apply. And then in the GPO secuiryt
properties deny them group from reading and applying the policy. This
has successfully worked.

But what we would rather is reverse and have computers which we wnat to
apply the policy in the group. What we tried is by default deny the
"Authenticated Users" group from applying the policy giving them read
on. Then for the group give them read and apply. But this hasn't worked
successfully........

Has anyone tried something like this or have any suggestions....please
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Don't forget that deny permissions take precedence over allows.

I think if you remove the authenticated users grou0p from the acl, and just
add in the security group "Yes Software" or whatever (the computers that are
supposed to get the policy) and give them Read & Apply GPO permissions. I'm
not sure if you'll run into trouble with a software package installation
needing 'authenticated users' to read your source info.

hth

Ken

"Momo" <louey-3@excite.com> wrote in message
news:1112867143.894012.63330@z14g2000cwz.googlegroups.com...
> We are in the process of deploying some software via GPO to computers
> within an OU. The problem is we don't want to apply the software to all
> machines within the OU.
>
> So far what we've successfully done is create a Group and add computers
> which we don't want the policy to apply. And then in the GPO secuiryt
> properties deny them group from reading and applying the policy. This
> has successfully worked.
>
> But what we would rather is reverse and have computers which we wnat to
> apply the policy in the group. What we tried is by default deny the
> "Authenticated Users" group from applying the policy giving them read
> on. Then for the group give them read and apply. But this hasn't worked
> successfully........
>
> Has anyone tried something like this or have any suggestions....please
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Perhaps there is some complication in your situation that I don't know
about, but here's my suggestion.

I suggest avoiding the complexity of attempting to manage the application of
GPOs via security and groups. Create a new OU as a child of the existing
OU, apply the Software distribution policy to that sub-OU and move the
computers you want to have that GPO applied to into the new sub-OU. Any
GPOs applied to the parent OU will be inherited by the new sub-OU, so the
moved computers will still get those GPOs applied to them.

One of the big features of Active Directory is the flexibililty to move
things around and change the OU hierarchy easily; take advantage of that to
avoid the need to use more complex features such as security filtering.

--
Bruce Sanderson MVP

It's perfectly useless to know the right answer to the wrong question.


"Momo" <louey-3@excite.com> wrote in message
news:1112867143.894012.63330@z14g2000cwz.googlegroups.com...
> We are in the process of deploying some software via GPO to computers
> within an OU. The problem is we don't want to apply the software to all
> machines within the OU.
>
> So far what we've successfully done is create a Group and add computers
> which we don't want the policy to apply. And then in the GPO secuiryt
> properties deny them group from reading and applying the policy. This
> has successfully worked.
>
> But what we would rather is reverse and have computers which we wnat to
> apply the policy in the group. What we tried is by default deny the
> "Authenticated Users" group from applying the policy giving them read
> on. Then for the group give them read and apply. But this hasn't worked
> successfully........
>
> Has anyone tried something like this or have any suggestions....please
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

"Bruce Sanderson" wrote:
> Perhaps there is some complication in your situation that I
> don't know
> about, but here's my suggestion.
>
> I suggest avoiding the complexity of attempting to manage the
> application of
> GPOs via security and groups. Create a new OU as a child of
> the existing
> OU, apply the Software distribution policy to that sub-OU and
> move the
> computers you want to have that GPO applied to into the new
> sub-OU. Any
> GPOs applied to the parent OU will be inherited by the new
> sub-OU, so the
> moved computers will still get those GPOs applied to them.
>
> One of the big features of Active Directory is the
> flexibililty to move
> things around and change the OU hierarchy easily; take
> advantage of that to
> avoid the need to use more complex features such as security
> filtering.
>
> --
> Bruce Sanderson MVP
>
> It's perfectly useless to know the right answer to the wrong
> question.
>
>
> "Momo" <louey-3@excite.com> wrote in message
> news:1112867143.894012.63330@z14g2000cwz.googlegroups.com...
> > We are in the process of deploying some software via GPO to
> computers
> > within an OU. The problem is we don't want to apply the
> software to all
> > machines within the OU.
> >
> > So far what we've successfully done is create a Group and
> add computers
> > which we don't want the policy to apply. And then in the GPO
> secuiryt
> > properties deny them group from reading and applying the
> policy. This
> > has successfully worked.
> >
> > But what we would rather is reverse and have computers which
> we wnat to
> > apply the policy in the group. What we tried is by default
> deny the
> > "Authenticated Users" group from applying the policy giving
> them read
> > on. Then for the group give them read and apply. But this
> hasn't worked
> > successfully........
> >
> > Has anyone tried something like this or have any
> suggestions....please
> >

Hi,

I agree with Bruce. Don’t mess with the default security settings. If
you setup to deny then they aren’t getting ANY of the policy.

Just create a child OU and move the machines into that and then move
them back again when the install is done. I have thousands of machines
and manage their software installs this way all the time.

Cheers,

Lara

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Group-Policy-Applying-GPO-computers-OU-ftopict355034.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1125126