Group Policy

Discussion in 'Microsoft Certification' started by T3M4N, Mar 27, 2008.

  1. T3M4N

    T3M4N Guest

    Dear,

    I would like to ask any of you guys, since I am a noob.
    I want to create a group policy but there are 2 things i am confused about:

    1. it only supports .msi extension for software deployment through group
    policy ? what about other extension? and if yes, then how do I deploy other
    softwarE? do I have to convert them to .msi ? what if the format is
    different?
    2. I want to deploy a software for the user. But, there seems to be
    alternatives that I might not be familiar with. which one should I choose
    from the group policy options:

    --> make an OU put all users into that OU and create a GP for those
    OR
    --> make an OU put all computers into that OU and create a GP for those


    but in the end when creating the GPO, both options will have an option in
    the GPO to select system settings and user settings. Wouldnt that be the same?

    I know this sounds silly,

    I just need some directions


    all I want is basically
    for all computers when they are started or any new computer joining my
    domain in the office, they will have that software installed

    thanks


    --
    "He will lead you step by step, NOT all at once. But, in each step there
    will be a MIRACLE"

    B.Comm (Information Systems and E-Commerce)
    MCP, MCDST, MCITP, MCTS
     
    T3M4N, Mar 27, 2008
    #1
    1. Advertising

  2. T3M4N

    John R Guest

    "T3M4N" <> wrote in message
    news:...
    > Dear,
    >
    > I would like to ask any of you guys, since I am a noob.
    > I want to create a group policy but there are 2 things i am confused
    > about:
    >
    > 1. it only supports .msi extension for software deployment through group
    > policy ? what about other extension? and if yes, then how do I deploy
    > other
    > softwarE? do I have to convert them to .msi ? what if the format is
    > different?
    > 2. I want to deploy a software for the user. But, there seems to be
    > alternatives that I might not be familiar with. which one should I choose
    > from the group policy options:
    >
    > --> make an OU put all users into that OU and create a GP for those
    > OR
    > --> make an OU put all computers into that OU and create a GP for those
    >
    >
    > but in the end when creating the GPO, both options will have an option in
    > the GPO to select system settings and user settings. Wouldnt that be the
    > same?
    >
    > I know this sounds silly,
    >
    > I just need some directions
    >
    >
    > all I want is basically
    > for all computers when they are started or any new computer joining my
    > domain in the office, they will have that software installed
    >
    > thanks
    >
    >


    I guess someone would jump in and answer your question if in fact we could
    actually understand what you are asking. But, I'll take a stab at it
    anyway.

    There are two configuration containers in a GPO, the computer config and the
    user config. The computer config is processed by computers that the GPO
    applies to when the computer boots. The user config is processed by the
    user process at logon time. Now, there are loopback settings and such that
    can change that, but that is the exception, not the rule.

    If you want a piece of software to apply to all computers, deploy it in the
    computer configuration. When that computer boots, the software will install
    if it has not already been installed. If you want a piece of software to
    follow a user no matter what computer he logs into, but not necessarily for
    all users, then deploy it in the user configuration.

    Software can only be "assigned" to computers, but can be "assigned" or
    "published" to users. When assigned, it installs automatically. When
    published, it is available to install, but is not installed unless there is
    action by the user.

    By your question, it seems you want the software deployed out to every
    computer, no matter what, so you should "assign" it in the computer
    configuration settings. Be sure that computers are members of a security
    group that has "read" and "apply group policy" privs to the gpo. I normally
    add 'Domain Computers', or I create a security group and add the computer
    accounts to it, and then use that security group in the gpo security
    settings.

    GPOs apply to the OU they are assigned to, and all items beneath (unless you
    disable GPO inheritance or use security or other types of filtering). In
    general, you should not deploy software in the default domain gpo, or at the
    domain level since this would also affect domain controllers.

    Currently, you can deploy only .MSI files or .ZAP files. .ZAP files can be
    created for setup.exe programs and the like. I am sure you will be able to
    find documentation elsewhere that describes that procedure so I will not go
    into it here. Since software deployment is done through the Microsoft
    Installer, only those file types are supported.

    John R
     
    John R, Mar 27, 2008
    #2
    1. Advertising

  3. T3M4N

    T3M4N Guest

    Dear John R,

    thanks this overall explanation really helps me a lot.
    anyway, the security group that you are talking here is the OU itself right?

    thanks
    --
    "He will lead you step by step, NOT all at once. But, in each step there
    will be a MIRACLE"

    B.Comm (Information Systems and E-Commerce)
    MCP, MCDST, MCITP, MCTS


    "John R" wrote:

    >
    > "T3M4N" <> wrote in message
    > news:...
    > > Dear,
    > >
    > > I would like to ask any of you guys, since I am a noob.
    > > I want to create a group policy but there are 2 things i am confused
    > > about:
    > >
    > > 1. it only supports .msi extension for software deployment through group
    > > policy ? what about other extension? and if yes, then how do I deploy
    > > other
    > > softwarE? do I have to convert them to .msi ? what if the format is
    > > different?
    > > 2. I want to deploy a software for the user. But, there seems to be
    > > alternatives that I might not be familiar with. which one should I choose
    > > from the group policy options:
    > >
    > > --> make an OU put all users into that OU and create a GP for those
    > > OR
    > > --> make an OU put all computers into that OU and create a GP for those
    > >
    > >
    > > but in the end when creating the GPO, both options will have an option in
    > > the GPO to select system settings and user settings. Wouldnt that be the
    > > same?
    > >
    > > I know this sounds silly,
    > >
    > > I just need some directions
    > >
    > >
    > > all I want is basically
    > > for all computers when they are started or any new computer joining my
    > > domain in the office, they will have that software installed
    > >
    > > thanks
    > >
    > >

    >
    > I guess someone would jump in and answer your question if in fact we could
    > actually understand what you are asking. But, I'll take a stab at it
    > anyway.
    >
    > There are two configuration containers in a GPO, the computer config and the
    > user config. The computer config is processed by computers that the GPO
    > applies to when the computer boots. The user config is processed by the
    > user process at logon time. Now, there are loopback settings and such that
    > can change that, but that is the exception, not the rule.
    >
    > If you want a piece of software to apply to all computers, deploy it in the
    > computer configuration. When that computer boots, the software will install
    > if it has not already been installed. If you want a piece of software to
    > follow a user no matter what computer he logs into, but not necessarily for
    > all users, then deploy it in the user configuration.
    >
    > Software can only be "assigned" to computers, but can be "assigned" or
    > "published" to users. When assigned, it installs automatically. When
    > published, it is available to install, but is not installed unless there is
    > action by the user.
    >
    > By your question, it seems you want the software deployed out to every
    > computer, no matter what, so you should "assign" it in the computer
    > configuration settings. Be sure that computers are members of a security
    > group that has "read" and "apply group policy" privs to the gpo. I normally
    > add 'Domain Computers', or I create a security group and add the computer
    > accounts to it, and then use that security group in the gpo security
    > settings.
    >
    > GPOs apply to the OU they are assigned to, and all items beneath (unless you
    > disable GPO inheritance or use security or other types of filtering). In
    > general, you should not deploy software in the default domain gpo, or at the
    > domain level since this would also affect domain controllers.
    >
    > Currently, you can deploy only .MSI files or .ZAP files. .ZAP files can be
    > created for setup.exe programs and the like. I am sure you will be able to
    > find documentation elsewhere that describes that procedure so I will not go
    > into it here. Since software deployment is done through the Microsoft
    > Installer, only those file types are supported.
    >
    > John R
    >
    >
    >
     
    T3M4N, Mar 28, 2008
    #3
  4. T3M4N

    John R Guest

    "T3M4N" <> wrote in message
    news:...
    > Dear John R,
    >
    > thanks this overall explanation really helps me a lot.
    > anyway, the security group that you are talking here is the OU itself
    > right?
    >


    No, I am talking about a security group such as 'Domain Computers', or
    'Enterprise Administrators'. GPOs are applied to an OU. But, what if you
    have 300 computer accounts in an OU but you only want the GPO to apply to
    120 of them? You put the 120 computer accounts into a security group, and
    then in the security settings of the GPO, you grant 'Read' and 'Apply Group
    Policy' to that security group only. (Alternately, you could create a
    sub-OU and apply the GPO there, it all depends on how your administrative
    control is delegated to your IT staff).

    John R
     
    John R, Mar 28, 2008
    #4
  5. T3M4N

    T3M4N Guest

    Dear,

    that helps a lot :)
    thanks


    --
    "He will lead you step by step, NOT all at once. But, in each step there
    will be a MIRACLE"

    B.Comm (Information Systems and E-Commerce)
    MCP, MCDST, MCITP, MCTS


    "John R" wrote:

    >
    > "T3M4N" <> wrote in message
    > news:...
    > > Dear John R,
    > >
    > > thanks this overall explanation really helps me a lot.
    > > anyway, the security group that you are talking here is the OU itself
    > > right?
    > >

    >
    > No, I am talking about a security group such as 'Domain Computers', or
    > 'Enterprise Administrators'. GPOs are applied to an OU. But, what if you
    > have 300 computer accounts in an OU but you only want the GPO to apply to
    > 120 of them? You put the 120 computer accounts into a security group, and
    > then in the security settings of the GPO, you grant 'Read' and 'Apply Group
    > Policy' to that security group only. (Alternately, you could create a
    > sub-OU and apply the GPO there, it all depends on how your administrative
    > control is delegated to your IT staff).
    >
    > John R
    >
    >
    >
     
    T3M4N, Mar 28, 2008
    #5
  6. T3M4N

    John R Guest

    "T3M4N" <> wrote in message
    news:...
    > Dear,
    >
    > that helps a lot :)
    > thanks
    >


    One other thing, if you are just getting into using GPOs, and you are going
    to filter based on group memberships, come up with a consistent group naming
    policy, such as "GPOappname" for GPOs that deploy a particular application,
    etc. When your domain starts to get hundreds of GPOs, you'll thank me for
    that tip.

    John R
     
    John R, Mar 28, 2008
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Kevin Lancaster

    Group Policy and PEAP

    Kevin Lancaster, Jun 23, 2004, in forum: Wireless Networking
    Replies:
    0
    Views:
    2,570
    Kevin Lancaster
    Jun 23, 2004
  2. Tyler Cobb
    Replies:
    6
    Views:
    18,754
    Tyler Cobb
    Oct 19, 2005
  3. =?Utf-8?B?UGhvZW5peCBDeWNsaXN0?=

    Group policy with no group

    =?Utf-8?B?UGhvZW5peCBDeWNsaXN0?=, Mar 15, 2007, in forum: Wireless Networking
    Replies:
    1
    Views:
    528
    Jack \(MVP-Networking\).
    Mar 15, 2007
  4. Tyler Cobb
    Replies:
    1
    Views:
    767
    dawnad
    Oct 9, 2005
  5. Geoffrey Sinclair

    Policy map using policy map

    Geoffrey Sinclair, Jul 27, 2009, in forum: Cisco
    Replies:
    1
    Views:
    594
    bod43
    Jul 27, 2009
Loading...

Share This Page