Problems with Group Policy on Win2k Server

  • Thread starter Thread starter Marc Hoffman
  • Start date Start date
M

Marc Hoffman

Hi All...

We're having some issues with Software Installation GPOs on Win2k Server.
Here's the issue:

1. An OU is created at the root level of the domain in Active Directory
Users and Computers.
2. A GPO is applied to the OU containing our software MSI files (we are
publishing the MSI packages, and not assigning them).
3. A security group is created and placed inside the software installation
OU, and users are added to this group.
4. A secedit /policyrefresh command is issued.
5. Any of the members of the software installation security group may log
in, but none of the MSI packages appear in Add/Remove Programs.

Now, here's the weird part:

1. A member of the software installation security groups is moved directly
into the software installation OU.
2. A policy refresh is performed.
3. The user added directly to the software installation OU logs in, and the
MSI packages appear in Add/Remove Programs!

What's going on here? We need to be able to keep users in one place, and
have the GPO apply to the security group.

Thanks in advance.

Marc
 
Interesting and annoying at the same time ;-)

Does Win2k3 Server have this "feature"?

Marc
 
I don't have Win 2k3 but I think this exciting feature (group policy that
does not work on groups) is there to confuse you also!


hth
DDS W 2k MVP MCSE
 
Definitely not any different in W2K3. I think they should rename GPOs to
"Absolutely Nothing to do with Groups" Policy. It would be more accurate.
:-)
 
Marc Hoffman said:
Interesting and annoying at the same time ;-)

Does Win2k3 Server have this "feature"?
Click to expand...

What you need to remember is that GPOs are linked to Domains or OU's, not
users, computers, security groups or any other obect within AD.
Usernames and group membership can be used as filters, but that is all. They
are only a means to fine tune the targeting of your GPOs within a given OU.

Andy.
 
Back
Top