Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Group Policy confusion - I'm stuck on software install 2

Status
Not open for further replies.
jatkinson

jatkinson

Technical User
Nov 14, 2001
406
GB
Hi all,

It's been a while since I've used Group Policies and I thought what I wanted to do was simple enough, however it doesn't seem to be working and I can't figure out why, which is now confusing me even more!!

Basically, I want to install a piece of software via a policy to a specific group of people. These users are setup in AD across multiple OUs, therefore the policy I created was put in at domain level, expecting it to inherited by the OUs below.

In a nutshell this is what I did:

1. Create a new group policy. For Computer settings (I want the software to install at start-up) I created a new software installation and pointed it the the server share that contains the software msi file. This share has read permissions for evey user set up (as well as security permission on the actual folder.)

2. Attached the policy at domain level and set it to 'Enforced' so any OUs blocking inheritence is overwritten.

3. Created a security group in AD, and added all the relevant users as members.

4. Added the new security group with read and apply group policy permissions on the new group policy (and removed apply group policy on the authenticated users group)

When I run Group Policy results in GPMC and look at the results it tells me the policy is denied "Access Denied (Security Filtering)"..... which is where I am stuck; the permissions to read and apply the policy are applied to the group so why is access denied?

I'm probably missing something simple but I just can't put my finger on it.

Any ideas please?

Many thanks.

James
 
Sort by date Sort by votes
Double check that the users have rights to the shared folder by trying to access the share point directly as a user. If the users do not have local admin rights to their PC try installing with elevated privileges in the GPO.
 
Upvote 0 Downvote
Yep, tried that..no problem with users access rights. Thanks for your post though.
 
Upvote 0 Downvote
Run the gpresult wizard on the GPMC and see what it tells you about the specific users. Your process seems fine. When you have run the wizard you can check the events tab on the right hand side of the report and see if something significant comes up.
Next thing is to do this from run
\\domainname\sysvol\domainname and see if you can get to the policies under the user account.
I've found it takes a few gpupdates/reeboots tow ork sometimes.
 
Upvote 0 Downvote
I only skimmed the thread - so sorry if this has already been mentioned or I missed the point.

You have a COMPUTER policy but it's got restrictions on a AD Group which only has users in it?

Surely if you want the install to occur at startup it's prior to any user authentication - thus how does AD know if the user that's about to logon is part of the group or not?
Try moving the policy to either user settings or add the machines to the group in AD that you want it rolled out to.

You can't have an application roll-out with a restriction based on users if the application roll-out is located in the computer settings.

Good Luck,




Steve.

"They have the internet on computers now!" - Homer Simpson
 
Upvote 0 Downvote
He said that the policy was created at domain level, so it should apply to everything below.
"These users are setup in AD across multiple OUs, therefore the policy I created was put in at domain level, expecting it to inherited by the OUs below."
 
Upvote 0 Downvote
Hi Steve,

I'm thinking down the same lines as you and that is when I started getting confused. Like you it doesn't make sense to me logically to configure this way but this is how it's been explained and taught to me.

I want to run the policy at computer level so it is installed prior to being required by the user but I wan't to determine the users (not the computers) that have the software as users move about sometimes. However logic is telling me (and the tests elmurado mentions - thanks for mentioning those) that I can't do it that way.

I recall in the past we installed software to specific machines by creating a new OU that contained the computers required and then applied the policy there. However I don't really want to move 100+ PCs into a new OU to then move them back into their 'home' OU. To that end I' thinking of creating a computer group (is that possible?) and then applying that to the root OU that contains all the computers (in their various OUs) to apply filtering?

Again though, this idea is based on the view that the users remain at the specific computers included in the group.

Cheers.
 
Upvote 0 Downvote
Most flexible way(IME) is definitely to create a security group and then add the objects to the group and then apply the GPO to that group(after removing the authenticated users group. Then link the GPO high enough up the tree so that the policy is applied to everything below it but ONLY IF the object(Computer/user is in the security group that you created.)
Can you see any errors in the event logs in the GPresults wizard? The tab on the far right hand side of the query that you run against a user/computer.
But now that i read what you put here:
"I want to run the policy at computer level so it is installed prior to being required by the user but I wan't to determine the users (not the computers) that have the software as users move about sometimes. However logic is telling me (and the tests elmurado mentions - thanks for mentioning those) that I can't do it that way." makes me see what Steve said could be correct. Is the software install a Computer Config one? And you only have users in your security group? because steve is right(apologies to steve for missing his point), that won't work. You'd have to have the install as part of the User Configuration in the GPO (User>Software Settings>etc) then when the user logs on the software will begin to install.
Setup a test user and try it on a spare machine(or your own).
Check this page
 
Upvote 0 Downvote
Thanks Guys for confirming my suspicions.

I'm going to have to rework this on computer groups. I could push the software out to every PC on the domain but after testing it specifically on my PC it took more than 30 mins to install at start-up! (pretty certain something wrong there!) so I wan't a controlled incremental rollout throughout the domain, just in case! ;-)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
523
antonio_dsanchez
antonio_dsanchez
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
383
DrB0b
DrB0b
James281
  • Locked
  • Question
Enrolment agent (enrol on behalf of) stopped working
Replies
1
Views
308
mikehook
mikehook
lacked
  • Locked
  • Question
problem with windows update on windows server 2016
Replies
1
Views
270
maybeimaleo
maybeimaleo
goombawaho
  • Locked
  • Question
Server 2012 Essenitals Installation Media
Replies
1
Views
258
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top