Group Policy

Dear,

I would like to ask any of you guys, since I am a noob.
I want to create a group policy but there are 2 things i am confused about:

1. it only supports .msi extension for software deployment through group
policy ? what about other extension? and if yes, then how do I deploy other
softwarE? do I have to convert them to .msi ? what if the format is
different?
2. I want to deploy a software for the user. But, there seems to be
alternatives that I might not be familiar with. which one should I choose
from the group policy options:

--> make an OU put all users into that OU and create a GP for those
OR
--> make an OU put all computers into that OU and create a GP for those


but in the end when creating the GPO, both options will have an option in
the GPO to select system settings and user settings. Wouldnt that be the same?

I know this sounds silly,

I just need some directions


all I want is basically
for all computers when they are started or any new computer joining my
domain in the office, they will have that software installed

thanks


--
"He will lead you step by step, NOT all at once. But, in each step there
will be a MIRACLE"

B.Comm (Information Systems and E-Commerce)
MCP, MCDST, MCITP, MCTS

T3M4N

"T3M4N" <> wrote in message
news:3D041E81-FCAB-482F-8C1E-...
> Dear,
>
> I would like to ask any of you guys, since I am a noob.
> I want to create a group policy but there are 2 things i am confused
> about:
>
> 1. it only supports .msi extension for software deployment through group
> policy ? what about other extension? and if yes, then how do I deploy
> other
> softwarE? do I have to convert them to .msi ? what if the format is
> different?
> 2. I want to deploy a software for the user. But, there seems to be
> alternatives that I might not be familiar with. which one should I choose
> from the group policy options:
>
> --> make an OU put all users into that OU and create a GP for those
> OR
> --> make an OU put all computers into that OU and create a GP for those
>
>
> but in the end when creating the GPO, both options will have an option in
> the GPO to select system settings and user settings. Wouldnt that be the
> same?
>
> I know this sounds silly,
>
> I just need some directions
>
>
> all I want is basically
> for all computers when they are started or any new computer joining my
> domain in the office, they will have that software installed
>
> thanks
>
>

I guess someone would jump in and answer your question if in fact we could
actually understand what you are asking. But, I'll take a stab at it
anyway.

There are two configuration containers in a GPO, the computer config and the
user config. The computer config is processed by computers that the GPO
applies to when the computer boots. The user config is processed by the
user process at logon time. Now, there are loopback settings and such that
can change that, but that is the exception, not the rule.

If you want a piece of software to apply to all computers, deploy it in the
computer configuration. When that computer boots, the software will install
if it has not already been installed. If you want a piece of software to
follow a user no matter what computer he logs into, but not necessarily for
all users, then deploy it in the user configuration.

Software can only be "assigned" to computers, but can be "assigned" or
"published" to users. When assigned, it installs automatically. When
published, it is available to install, but is not installed unless there is
action by the user.

By your question, it seems you want the software deployed out to every
computer, no matter what, so you should "assign" it in the computer
configuration settings. Be sure that computers are members of a security
group that has "read" and "apply group policy" privs to the gpo. I normally
add 'Domain Computers', or I create a security group and add the computer
accounts to it, and then use that security group in the gpo security
settings.

GPOs apply to the OU they are assigned to, and all items beneath (unless you
disable GPO inheritance or use security or other types of filtering). In
general, you should not deploy software in the default domain gpo, or at the
domain level since this would also affect domain controllers.

Currently, you can deploy only .MSI files or .ZAP files. .ZAP files can be
created for setup.exe programs and the like. I am sure you will be able to
find documentation elsewhere that describes that procedure so I will not go
into it here. Since software deployment is done through the Microsoft
Installer, only those file types are supported.

John R

John R

Dear John R,

thanks this overall explanation really helps me a lot.
anyway, the security group that you are talking here is the OU itself right?

thanks
--
"He will lead you step by step, NOT all at once. But, in each step there
will be a MIRACLE"

B.Comm (Information Systems and E-Commerce)
MCP, MCDST, MCITP, MCTS


"John R" wrote:

>
> "T3M4N" <> wrote in message
> news:3D041E81-FCAB-482F-8C1E-...
> > Dear,
> >
> > I would like to ask any of you guys, since I am a noob.
> > I want to create a group policy but there are 2 things i am confused
> > about:
> >
> > 1. it only supports .msi extension for software deployment through group
> > policy ? what about other extension? and if yes, then how do I deploy
> > other
> > softwarE? do I have to convert them to .msi ? what if the format is
> > different?
> > 2. I want to deploy a software for the user. But, there seems to be
> > alternatives that I might not be familiar with. which one should I choose
> > from the group policy options:
> >
> > --> make an OU put all users into that OU and create a GP for those
> > OR
> > --> make an OU put all computers into that OU and create a GP for those
> >
> >
> > but in the end when creating the GPO, both options will have an option in
> > the GPO to select system settings and user settings. Wouldnt that be the
> > same?
> >
> > I know this sounds silly,
> >
> > I just need some directions
> >
> >
> > all I want is basically
> > for all computers when they are started or any new computer joining my
> > domain in the office, they will have that software installed
> >
> > thanks
> >
> >
>
> I guess someone would jump in and answer your question if in fact we could
> actually understand what you are asking. But, I'll take a stab at it
> anyway.
>
> There are two configuration containers in a GPO, the computer config and the
> user config. The computer config is processed by computers that the GPO
> applies to when the computer boots. The user config is processed by the
> user process at logon time. Now, there are loopback settings and such that
> can change that, but that is the exception, not the rule.
>
> If you want a piece of software to apply to all computers, deploy it in the
> computer configuration. When that computer boots, the software will install
> if it has not already been installed. If you want a piece of software to
> follow a user no matter what computer he logs into, but not necessarily for
> all users, then deploy it in the user configuration.
>
> Software can only be "assigned" to computers, but can be "assigned" or
> "published" to users. When assigned, it installs automatically. When
> published, it is available to install, but is not installed unless there is
> action by the user.
>
> By your question, it seems you want the software deployed out to every
> computer, no matter what, so you should "assign" it in the computer
> configuration settings. Be sure that computers are members of a security
> group that has "read" and "apply group policy" privs to the gpo. I normally
> add 'Domain Computers', or I create a security group and add the computer
> accounts to it, and then use that security group in the gpo security
> settings.
>
> GPOs apply to the OU they are assigned to, and all items beneath (unless you
> disable GPO inheritance or use security or other types of filtering). In
> general, you should not deploy software in the default domain gpo, or at the
> domain level since this would also affect domain controllers.
>
> Currently, you can deploy only .MSI files or .ZAP files. .ZAP files can be
> created for setup.exe programs and the like. I am sure you will be able to
> find documentation elsewhere that describes that procedure so I will not go
> into it here. Since software deployment is done through the Microsoft
> Installer, only those file types are supported.
>
> John R
>
>
>

T3M4N

"T3M4N" <> wrote in message
news:C7FEB925-2E09-4BC8-893E-...
> Dear John R,
>
> thanks this overall explanation really helps me a lot.
> anyway, the security group that you are talking here is the OU itself
> right?
>

No, I am talking about a security group such as 'Domain Computers', or
'Enterprise Administrators'. GPOs are applied to an OU. But, what if you
have 300 computer accounts in an OU but you only want the GPO to apply to
120 of them? You put the 120 computer accounts into a security group, and
then in the security settings of the GPO, you grant 'Read' and 'Apply Group
Policy' to that security group only. (Alternately, you could create a
sub-OU and apply the GPO there, it all depends on how your administrative
control is delegated to your IT staff).

John R

John R

Dear,

that helps a lot
thanks


--
"He will lead you step by step, NOT all at once. But, in each step there
will be a MIRACLE"

B.Comm (Information Systems and E-Commerce)
MCP, MCDST, MCITP, MCTS


"John R" wrote:

>
> "T3M4N" <> wrote in message
> news:C7FEB925-2E09-4BC8-893E-...
> > Dear John R,
> >
> > thanks this overall explanation really helps me a lot.
> > anyway, the security group that you are talking here is the OU itself
> > right?
> >
>
> No, I am talking about a security group such as 'Domain Computers', or
> 'Enterprise Administrators'. GPOs are applied to an OU. But, what if you
> have 300 computer accounts in an OU but you only want the GPO to apply to
> 120 of them? You put the 120 computer accounts into a security group, and
> then in the security settings of the GPO, you grant 'Read' and 'Apply Group
> Policy' to that security group only. (Alternately, you could create a
> sub-OU and apply the GPO there, it all depends on how your administrative
> control is delegated to your IT staff).
>
> John R
>
>
>

T3M4N

"T3M4N" <> wrote in message
news:853735A0-6362-4182-9724-...
> Dear,
>
> that helps a lot
> thanks
>

One other thing, if you are just getting into using GPOs, and you are going
to filter based on group memberships, come up with a consistent group naming
policy, such as "GPOappname" for GPOs that deploy a particular application,
etc. When your domain starts to get hundreds of GPOs, you'll thank me for
that tip.

John R

John R