Security Group Software Installation

[PreviousPoster]

We have OUs of users who need programs which we distribute through GP.

When a user in that OU needs another program, we have to make an OU under that OU and link the object to that so they can have their original programs plus the new one. This all prevents everyone else who was in his original OU from getting that software.

I was thinking, we could create an OU and make a group inside that OU. Apply policy to that OU. For instance, if we want specific users from different OUs to get office, we can add them to a group under an OU getting office.

I tried doing this but couldn't get it to work. It seems like it would.

Anyone have any ideas? Another method of doing this?

[PreviousPoster]

You should use group policy security filtering, create a security group add the user(s) and specify the group policy object to only apply to the security group. You may then link the group policy object to the domain/organisational unit, removing the need to create a nested organisational unit.

[PreviousPoster]

can you elaborate a little more or provide me with a link?

I understand that I need to make a security group and add all the users but how do i like the gp to the group?

[PreviousPoster]

The following is based on the assumption you are using Microsoft Group Policy Management Console SP1.

1) Select your group policy object from within GPMC.
2) Select the scope tab (this will be displayed by default)
3) From the security filtering window highlight the default 'Authenticated Users' select 'Remove'.
4) Select 'Add' from the security filtering window, and now select the securty group you have created.

You have now implemented group policy security filtering on your group policy object.

To test the above, run RSOP for a user who is not included in the security group you have specified in the group policy object. You will see that the group policy object is disabled due to security. From the top of my head I believe the denied group policy reason is 'Disabled (Security)'.

[PreviousPoster]

awesome that works great! thanks alot!

[Trammel]

Forgive me for posting on an old thread but the subject is exactly what I am up against. Let me explain what I am up against and please tell me if I am wrong. I am going to dig back into my book here shortly.

(Parent~Child domain only)
1. I have a policy with software installations in both the computer and user configuration.
2. Each software application has a security setting for each application.
3. Example, Acrobat Reader software application. Only applies to the global group SW_Acrobat_Reader.
4. The global groups for the applications distribution under the "computer configuration" section of this policy. Mostly contain user accounts.

So, I am trying to understand how the predecessor figured software applications could be deployed via computer configurations. Using security filters with a global group having "users" in the group.

I believe this is proper for the software distributions that are under the "user configuration". Using security filters with global groups and users inside.

[edit] I just finished going through the second edition book and this particular case isn't discussed. So I thought I would come back and make sure this post was not convoluted.
Question: Can you use GPSI via computer configurations side of the policy, leverage global security groups that contain users. To apply (assign or publish) software installs?
My initial thought is no because the computer policy is processed prior to a user logging on the machine.

Thanks