+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 17
Windows Thread, Filter applications by security group in Technical; I'm thinking about having one sofware policy at the top of our computers OU and then having a security group ...
  1. #1
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,205
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74

    Filter applications by security group

    I'm thinking about having one sofware policy at the top of our computers OU and then having a security group for each application this way only members of the group receive the application. Who here manages their apps this way and do you find it to be a pain when you have an app that's installed everywhere so you have to add 400 + PC's to the group?


    Chrrently we use a combination of security groups and applying software at the OU level but it's becoming a bit of a pain.

    Cheers.

  2. #2

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,157
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    124
    We do something like this but wouldn't use a security group for something that's wanted everywhere (it's hard work, as you say!)

    Basically, the top level software goes on everything (Office, Sophos, Adobe Reader etc) and then things like student record package go on the PCs that need it. Was a faff to set up at first (lots of PCs needed it!) but it was scripted. Now it's easy - if a new PC comes in that needs the software it goes in the group at that point while the account is being put into AD.

  3. #3
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,205
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Thanks for the reply Steve.

    When you make a change to a package at the top level e.g. Office do you have the issue of all stations reapplying the packages at the same time?

    This is why i applied at OU level originally just in case i wanted to make changes to one room.

  4. #4
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,205
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Anyone have an answer to this? The problem i find is that if i add the application using a GPO that's quite high up the AD structure if i make a change to the GPO all of the clients reinstall the app which is a pain. Is there a way to avoid this?

    Cheers.

  5. #5

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    Yes, there's a setting for that. Make sure "Uninstall this application when it falls out of the scope of management" is disabled. That way, nothing will ever be uninstalled, unless your upgrading a package.

  6. #6
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,205
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    If in unset that option and then remove the app from the list will it still be uninstalled?

    Is that how you organise your software deployment Geoff?

  7. #7

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    If in unset that option and then remove the app from the list will it still be uninstalled?
    no, that's the point. The software never gets uninstalled. Unless you manually do it.

    Is that how you organise your software deployment Geoff?
    Yes, plus regular reimaging with ghost (gets round the uninstall issue, and generally a good idea).

  8. #8
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,205
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    The software never gets uninstalled. Unless you manually do it
    That's what i thought which can be an issue when i need to remove software and install a new version, we don't reimage our machines all that often here especially office PC's.

    Cheers.

  9. #9

    Join Date
    Jul 2007
    Location
    Devon
    Posts
    233
    Thank Post
    8
    Thanked 9 Times in 8 Posts
    Rep Power
    16
    Ours is done on an OU basis...

    Only Securus and the always annoying searchstar controls are applied at domain level.

    Then it goes and has common software (office, flash etc) is applied on OU1, department software (Dartfish Classroom) OU2 and Room software OU3 (if that room also has an office, then OU4)

    There are also a few installs which are done as group memberships, IP Softphone is, Adobe Reader 8 is (as well as being global - kept removing itself) and that's about it really.

    I worked hard over the course of about a year to structure AD in a friendly way that things like this are just a click in, click off.


    I just wish Group Policy could push out MSP's *shakes fist at Adobe*

    Other than updating MSI's during half-terms etc, can you not apply a revised policy which upgrades another policy and then slowly promote & apply it to child OU's?

    Just a thought since I seem able to move a computer account between two OU's where software is different and it will only apply the changes, it won't uninstall office etc and then reinstall it, because the same policy is applied in both locations...

  10. #10
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,205
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    Our OU's are organised roughly by department or room so we tend to have a GPO for each of these OU's and i've started using security filtering to target applications to groups of PC's within an OU. As some rooms are more heavily used by certain departments they tend to have their software on so if i use a policy over more than one room the rooms end up with unnecessary software on.

    I think i've found a pretty happy medium i was just wondering how others did it.

    I'm having an issue with an msp at the mo grrrr if only AD could deploy them.

    Cheers.

  11. #11


    Join Date
    Oct 2006
    Posts
    3,412
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    149
    Quote Originally Posted by cookie_monster View Post
    That's what i thought which can be an issue when i need to remove software and install a new version, we don't reimage our machines all that often here especially office PC's.

    Cheers.
    Goto the GPO > Software > *Rightclick* > Remove Software

    :-)

  12. #12
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,205
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    I'm sure Geoff said if you deselect "Uninstall this application when it falls out of the scope of management" then it doesn't uninstall even if you remove it from the deployment list.

  13. #13


    Join Date
    Oct 2006
    Posts
    3,412
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    149
    No you go into the GPO and manually tell it to uninstall. Geoff is right in that if you just delete the GPO it wont uninstall teh software. You can also tell the software to uninstall just before it it replaced by an upgraded version.

    Have a browse about in the settings, its all there and pretty obvious what everything does really.

  14. #14
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,205
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    74
    I'm familiar with the settings i must of misunderstood what Geoff was trying to say and i haven't been near a server to check.

    Cheers.

  15. #15
    meastaugh1's Avatar
    Join Date
    Jul 2006
    Location
    London/Hertfordshire
    Posts
    890
    Thank Post
    69
    Thanked 85 Times in 70 Posts
    Rep Power
    32
    I also do something like this.

    I have a managed software computers group (of which all desktops are a member), which have apply GPO right over the software installation GPO. Where I need to limit the number of installations (usually for license reasons, such as ABTutor, CorelDraw, Sibelius), I create a new license group and only permit that license group to read the particular software package.

    Quote Originally Posted by cookie_monster View Post
    I'm thinking about having one sofware policy at the top of our computers OU and then having a security group for each application this way only members of the group receive the application. Who here manages their apps this way and do you find it to be a pain when you have an app that's installed everywhere so you have to add 400 + PC's to the group?


    Chrrently we use a combination of security groups and applying software at the OU level but it's becoming a bit of a pain.

    Cheers.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 2
    Last Post: 27th January 2011, 12:06 PM
  2. Stop applications running at certain times
    By timbo343 in forum Windows
    Replies: 5
    Last Post: 27th April 2007, 01:08 PM
  3. Redirecting applications save folder
    By Wizzer in forum How do you do....it?
    Replies: 14
    Last Post: 22nd November 2006, 12:46 PM
  4. Disable network logon for a Security Group or an OU
    By mrforgetful in forum Wireless Networks
    Replies: 10
    Last Post: 28th June 2006, 04:13 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •