Administrative installs blocked by GPO

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I am having an issue with a GPO set to an OU that should be blocking user
installs but, instead blocks all installs even when Domain, Enterprise Admins
and a Technician group have been set to not have the policy apply. The
Disable Windows Installer is Enabled under the Computer settings that is the
root of my issue forcing me to move a machine out of the OU in order to
install anything. It has become a torn in our sides when you are trying to do
updates and install Anti-virus programs and the like to have to wait
replication out or force it and have a machine reboot. If anyone has some
help on this subject it would be appreciated. To note- No other policy about
this (it is the Domain level) have any settings that would effect this and no
other policy is linked to this OU.
 
Since this is a computer configuration setting it will apply to all users.
If you can configure what you want to accomplish in user configuration, then
you can exempt specific users/groups with Group Policy filtering. Usually a
better approach is to simply use Software Installation policy to either
assign/publish authorized .msi packages to users/computers. This works well
if the domain users are NOT local administrators of their computers. If they
are then you will have a much more difficult time trying to accomplish what
you want unless the workstations are XP Pro in which case you can use
Software Restriction Policies/user configuration and configure the
enforcement rule to include local administrators. Unfortunately Windows 2003
domain is needed for SRP in user configuration though you can manage
SRP/computer configuration in a Windows 2000 domain.--- Steve
 
I have those policies in place but, they are mostly in effective since I
would be constantly updating the policy to include new *.exe packages as we
find them. I got to this point because we had to recreate the GPO. Since it
has been rebuild the machine policy has been a sticking point in rolling out
programs via automative service. So now I am trying to figure out what
happned to allow it that is not turned on to allow it. If there is any
direction you can provide I would really appreciate it.
 
Back
Top