Problems with Group Policy on Win2k Server

  • Thread starter Thread starter Guest
  • Start date Start date
Toggle sidebar Toggle sidebar
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi All...

We're having some issues with Software Installation GPOs on Win2k Server.
Here's the issue:

1. An OU is created at the root level of the domain in Active Directory
Users and Computers.
2. A GPO is applied to the OU containing our software MSI files (we are
publishing the MSI packages, and not assigning them).
3. A security group is created and placed inside the software installation
OU, and users are added to this group.
4. A secedit /policyrefresh command is issued.
5. Any of the members of the software installation security group may log
in, but none of the MSI packages appear in Add/Remove Programs.

Now, here's the weird part:

1. A member of the software installation security groups is moved directly
into the software installation OU.
2. A policy refresh is performed.
3. The user added directly to the software installation OU logs in, and the
MSI packages appear in Add/Remove Programs!

What's going on here? We need to be able to keep users in one place, and
have the GPO apply to the security group.

Thanks in advance.

Marc
 
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Group policies, strangely enough, apply to users in the OU not groups.

I understand your confusion.

See:
http://support.microsoft.com/default.aspx?scid=kb;en-us;220822&Product=win2000

hth
DDS W 2k MVP MCSE

"Marc Hoffman" <spamcatcher@frontiernet.net> wrote in message
news:BCB5525C.EE6%spamcatcher@frontiernet.net...
> Hi All...
>
> We're having some issues with Software Installation GPOs on Win2k Server.
> Here's the issue:
>
> 1. An OU is created at the root level of the domain in Active Directory
> Users and Computers.
> 2. A GPO is applied to the OU containing our software MSI files (we are
> publishing the MSI packages, and not assigning them).
> 3. A security group is created and placed inside the software installation
> OU, and users are added to this group.
> 4. A secedit /policyrefresh command is issued.
> 5. Any of the members of the software installation security group may log
> in, but none of the MSI packages appear in Add/Remove Programs.
>
> Now, here's the weird part:
>
> 1. A member of the software installation security groups is moved directly
> into the software installation OU.
> 2. A policy refresh is performed.
> 3. The user added directly to the software installation OU logs in, and
the
> MSI packages appear in Add/Remove Programs!
>
> What's going on here? We need to be able to keep users in one place, and
> have the GPO apply to the security group.
>
> Thanks in advance.
>
> Marc
>
 
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Interesting and annoying at the same time ;-)

Does Win2k3 Server have this "feature"?

Marc


On 4/28/04 12:44 PM, in article uYd#6iULEHA.3428@TK2MSFTNGP09.phx.gbl,
"Danny Sanders" <Danny.Sanders@cpcNOmedSPAM.org> wrote:

> Group policies, strangely enough, apply to users in the OU not groups.
>
> I understand your confusion.
>
> See:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;220822&Product=win2000
>
> hth
> DDS W 2k MVP MCSE
>
> "Marc Hoffman" <spamcatcher@frontiernet.net> wrote in message
> news:BCB5525C.EE6%spamcatcher@frontiernet.net...
>> Hi All...
>>
>> We're having some issues with Software Installation GPOs on Win2k Server.
>> Here's the issue:
>>
>> 1. An OU is created at the root level of the domain in Active Directory
>> Users and Computers.
>> 2. A GPO is applied to the OU containing our software MSI files (we are
>> publishing the MSI packages, and not assigning them).
>> 3. A security group is created and placed inside the software installation
>> OU, and users are added to this group.
>> 4. A secedit /policyrefresh command is issued.
>> 5. Any of the members of the software installation security group may log
>> in, but none of the MSI packages appear in Add/Remove Programs.
>>
>> Now, here's the weird part:
>>
>> 1. A member of the software installation security groups is moved directly
>> into the software installation OU.
>> 2. A policy refresh is performed.
>> 3. The user added directly to the software installation OU logs in, and
> the
>> MSI packages appear in Add/Remove Programs!
>>
>> What's going on here? We need to be able to keep users in one place, and
>> have the GPO apply to the security group.
>>
>> Thanks in advance.
>>
>> Marc
>>
>
>
 
Archived from groups: microsoft.public.win2000.group_policy (More info?)

I don't have Win 2k3 but I think this exciting feature (group policy that
does not work on groups) is there to confuse you also!


hth
DDS W 2k MVP MCSE


"Marc Hoffman" <spamcatcher@frontiernet.net> wrote in message
news:BCB56A2C.1140%spamcatcher@frontiernet.net...
> Interesting and annoying at the same time ;-)
>
> Does Win2k3 Server have this "feature"?
>
> Marc
>
>
> On 4/28/04 12:44 PM, in article uYd#6iULEHA.3428@TK2MSFTNGP09.phx.gbl,
> "Danny Sanders" <Danny.Sanders@cpcNOmedSPAM.org> wrote:
>
> > Group policies, strangely enough, apply to users in the OU not groups.
> >
> > I understand your confusion.
> >
> > See:
> >
http://support.microsoft.com/default.aspx?scid=kb;en-us;220822&Product=win2000
> >
> > hth
> > DDS W 2k MVP MCSE
> >
> > "Marc Hoffman" <spamcatcher@frontiernet.net> wrote in message
> > news:BCB5525C.EE6%spamcatcher@frontiernet.net...
> >> Hi All...
> >>
> >> We're having some issues with Software Installation GPOs on Win2k
Server.
> >> Here's the issue:
> >>
> >> 1. An OU is created at the root level of the domain in Active Directory
> >> Users and Computers.
> >> 2. A GPO is applied to the OU containing our software MSI files (we are
> >> publishing the MSI packages, and not assigning them).
> >> 3. A security group is created and placed inside the software
installation
> >> OU, and users are added to this group.
> >> 4. A secedit /policyrefresh command is issued.
> >> 5. Any of the members of the software installation security group may
log
> >> in, but none of the MSI packages appear in Add/Remove Programs.
> >>
> >> Now, here's the weird part:
> >>
> >> 1. A member of the software installation security groups is moved
directly
> >> into the software installation OU.
> >> 2. A policy refresh is performed.
> >> 3. The user added directly to the software installation OU logs in, and
> > the
> >> MSI packages appear in Add/Remove Programs!
> >>
> >> What's going on here? We need to be able to keep users in one place,
and
> >> have the GPO apply to the security group.
> >>
> >> Thanks in advance.
> >>
> >> Marc
> >>
> >
> >
>
 
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Definitely not any different in W2K3. I think they should rename GPOs to
"Absolutely Nothing to do with Groups" Policy. It would be more accurate.
🙂


"Danny Sanders" <Danny.Sanders@cpcNOmedSPAM.org> wrote in message
news:OpDivWVLEHA.1416@TK2MSFTNGP09.phx.gbl...
> I don't have Win 2k3 but I think this exciting feature (group policy that
> does not work on groups) is there to confuse you also!
>
>
> hth
> DDS W 2k MVP MCSE
>
>
> "Marc Hoffman" <spamcatcher@frontiernet.net> wrote in message
> news:BCB56A2C.1140%spamcatcher@frontiernet.net...
> > Interesting and annoying at the same time ;-)
> >
> > Does Win2k3 Server have this "feature"?
> >
> > Marc
> >
> >
> > On 4/28/04 12:44 PM, in article uYd#6iULEHA.3428@TK2MSFTNGP09.phx.gbl,
> > "Danny Sanders" <Danny.Sanders@cpcNOmedSPAM.org> wrote:
> >
> > > Group policies, strangely enough, apply to users in the OU not groups.
> > >
> > > I understand your confusion.
> > >
> > > See:
> > >
>
http://support.microsoft.com/default.aspx?scid=kb;en-us;220822&Product=win2000
> > >
> > > hth
> > > DDS W 2k MVP MCSE
> > >
> > > "Marc Hoffman" <spamcatcher@frontiernet.net> wrote in message
> > > news:BCB5525C.EE6%spamcatcher@frontiernet.net...
> > >> Hi All...
> > >>
> > >> We're having some issues with Software Installation GPOs on Win2k
> Server.
> > >> Here's the issue:
> > >>
> > >> 1. An OU is created at the root level of the domain in Active
Directory
> > >> Users and Computers.
> > >> 2. A GPO is applied to the OU containing our software MSI files (we
are
> > >> publishing the MSI packages, and not assigning them).
> > >> 3. A security group is created and placed inside the software
> installation
> > >> OU, and users are added to this group.
> > >> 4. A secedit /policyrefresh command is issued.
> > >> 5. Any of the members of the software installation security group may
> log
> > >> in, but none of the MSI packages appear in Add/Remove Programs.
> > >>
> > >> Now, here's the weird part:
> > >>
> > >> 1. A member of the software installation security groups is moved
> directly
> > >> into the software installation OU.
> > >> 2. A policy refresh is performed.
> > >> 3. The user added directly to the software installation OU logs in,
and
> > > the
> > >> MSI packages appear in Add/Remove Programs!
> > >>
> > >> What's going on here? We need to be able to keep users in one place,
> and
> > >> have the GPO apply to the security group.
> > >>
> > >> Thanks in advance.
> > >>
> > >> Marc
> > >>
> > >
> > >
> >
>
>
 
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Marc Hoffman <spamcatcher@frontiernet.net> said

> Interesting and annoying at the same time ;-)
>
> Does Win2k3 Server have this "feature"?
>

What you need to remember is that GPOs are linked to Domains or OU's, not
users, computers, security groups or any other obect within AD.
Usernames and group membership can be used as filters, but that is all. They
are only a means to fine tune the targeting of your GPOs within a given OU.

Andy.
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom