Admins cannot install software when PC in one OU but ok in another

  • Thread starter Thread starter Chris Pratt
  • Start date Start date
C

Chris Pratt

Sorry for the long subject!!

When a computer is in our restrictive OU (with a nice and tight GP), if an
admin logs in (Domain Admin or Local Admin) and try to run an MSI - it pops
up with "The administrator has set policies to prevent this"!!

But when the PC is moved into an OU with a zero restrictive OU it can have
MSI's installed and settings changed.

I have checked the security on the GP and Admins do not have it applied.
PLEASE HELP!! I don't want to have to move the PC's into a different OU
everytime I want to make a setting change.

Thanks in advance

Chris Pratt - MCP
 
Chris, there may be some per-machine settings configured which are
disallowing MSI installs on your machine. (These settings may be found at
Computer Config\Admin Templates\Windows Installer). This would explain why,
if you move the computer object into another OU, the restrictions disappear.

Can you run gpresult (if your machine is Win2k) or rsop.msc (if your machine
is XP or Windows Server 2003) on the client? You will be able to see if
these settings are being applied to your machine while in the restrictive
OU. If you are running XP or Windows Server 2003, you may also use Group
Policy Management Console to get a Group Policy Results report of the
settings that have applied to the machine. (You can find more info about
GPMC at http://www.microsoft.com/windowsserver2003/gpmc/default.mspx)

Hope this helps.

Derek
 
Back
Top