Group Policy: Pushing out software through Active Directory

Jeremy Moskowitz, Contributor

The following is a collection of expert responses to reader questions by Jeremy Moskowitz.

Is there a way to selectively push out software, through Active Directory using Group Policy, for computers with different operating systems? An example would be our Windows 2000 Pro machines need Acrobat Reader 6.0 pushed to them, where our Windows XP Pro machines already have Acrobat Reader 7.0 installed on their base image.

Jeremy Moskowitz: Absolutely possible! There are two ways. One way is to create two OUs: one which contains Windows XP machines and the other which contains Windows 2000 machines. Then, simply link the GPOs you want to affect each type of machine.

However, this doesn't help much if both types are mixed together. Say you have an OU called "SalesComputers" with both a mix of Windows XP and Windows 2000. In this case, the best way to achieve your goal is to create two NT-style groups: one containing the Windows 2000 computers and the other containing the Windows XP computers. Then, link the GPO that you want to affect, say, only the Windows XP computers to the SalesComputers OU. Finally, remove the default "Authenticated Users" group and add in just the group containing Windows XP machines.

Likewise perform the same steps for Windows 2000 machines, and you should be golden.

I am a Network Administrator at a college in Florida. We have numerous computer labs on campus, and my issue is locking down the desktop prohibiting

Requires Free Membership to View

students from making changes to the environment. Can you direct me to GPO information that can help me with this issue?
Domain environment - Windows Server 2003 and Server 2000
Desktops- XP Pro

Many thanks in advance

JM: There is no "magic bullet" super-duper lockdown. There are incremental steps you can do to perform this magic. My first suggestion would be to check out Microsoft's very own Group Policy Scenarios lab kit. The idea is that you can check out what Microsoft suggests as some approaches to help get you closer toward a fully locked down desktop. You'll find the Group Policy Scenarios document and exercises here.

I need to install Dell's monitoring software -- OMCI -- on client computers. I have created MSI packages to deploy this using AD GPO.

This package requires a domain admin account to run as a service account. I have created an account for this, but my question to you is: How do I push this account information to reside on all the PCs in the domain? Thanks.

JM: Restricted Groups to the rescue! The Restricted Groups feature allows you to push entries into whatever group you want. Simply drill down to:

Computer Configuration | Security Settings | Restricted Groups

Then, when prompted for which group to add, simply TYPE IN the name of the group you want to add. In this case, it's Administrators. Then, pick the Active Directory users you want to add, and add them to the Members of this group dialog. And, bang! Instant addition of user accounts to local administrator group.

Do note, however, that the Restricted Groups function is a "rip and replace" function -- meaning any administrators you have locally defined will be ripped out in lieu of what you put in this dialog box.

I recently set up a new Windows server 2003. I created a couple test users and put them in groups. I also created some GPOs and linked them. As far as I can tell everything is configured properly on the server side. My question is, when I log onto the domain from my test client computer, it does not pull down the GPO for the group they are in. I feel there is something I need to do on the client side, but I am not sure. How can I pull the GPO to the W2K client computer from AD?

JM: You said you linked the GPO to the correct location. But you didn't say to where. I'm guessing you linked the GPOs to a place that has no user or computer accounts; hence, you won't see much action. Or, maybe you created the GPO, but didn't actually link it anywhere. Don't feel bad though -- I make mistakes like this all the time. Be sure to click on the Scope tab using GPMC and look at the "Links" field to see, specifically, where the GPO is linked to. That should help you determine if you're really linked or not.

Jeremy Moskowitz, a Microsoft Most Valuable Professional (MVP) and Microsoft Certified Systems Engineer (MCSE), is an independent consultant and trainer for Microsoft Windows technologies. He runs two community forums, www.GPanswers.com and www.WinLinAnswers.com, that answer tough questions about Group Policy and Windows/Linux integration. Jeremy's latest book, Windows and Linux Integration: Hands-on Solutions for a Mixed Environment (Sybex, 2005), is available at WinLinAnswers.com. His popular book, Group Policy, Profiles, and IntelliMirror (Sybex, 2005) is available at www.GPanswers.com.

This was first published in November 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.