Problem solve Get help with specific problems with your technologies, process and projects.

Group Policy: Pushing out software through Active Directory

Check out this collection of expert responses to real reader questions from Group Policy expert Jeremy Moskowitz.

The following is a collection of expert responses to reader questions by Jeremy Moskowitz.

Is there a way to selectively push out software, through Active Directory using Group Policy, for computers with different operating systems? An example would be our Windows 2000 Pro machines need Acrobat Reader 6.0 pushed to them, where our Windows XP Pro machines already have Acrobat Reader 7.0 installed on their base image.

Jeremy Moskowitz: Absolutely possible! There are two ways. One way is to create two OUs: one which contains Windows XP machines and the other which contains Windows 2000 machines. Then, simply link the GPOs you want to affect each type of machine.

However, this doesn't help much if both types are mixed together. Say you have an OU called "SalesComputers" with both a mix of Windows XP and Windows 2000. In this case, the best way to achieve your goal is to create two NT-style groups: one containing the Windows 2000 computers and the other containing the Windows XP computers. Then, link the GPO that you want to affect, say, only the Windows XP computers to the SalesComputers OU. Finally, remove the default "Authenticated Users" group and add in just the group containing Windows XP machines.

Likewise perform the same steps for Windows 2000 machines, and you should be golden.

I am a Network Administrator at a college in Florida. We have numerous computer labs on campus, and my issue is locking down the desktop prohibiting students from making changes to the environment. Can you direct me to GPO information that can help me with this issue?

Domain environment - Windows Server 2003 and Server 2000
Desktops- XP Pro

Many thanks in advance

JM: There is no "magic bullet" super-duper lockdown. There are incremental steps you can do to perform this magic. My first suggestion would be to check out Microsoft's very own Group Policy Scenarios lab kit. The idea is that you can check out what Microsoft suggests as some approaches to help get you closer toward a fully locked down desktop. You'll find the Group Policy Scenarios document and exercises here.

I need to install Dell's monitoring software -- OMCI -- on client computers. I have created MSI packages to deploy this using AD GPO.

This package requires a domain admin account to run as a service account. I have created an account for this, but my question to you is: How do I push this account information to reside on all the PCs in the domain? Thanks.

JM: Restricted Groups to the rescue! The Restricted Groups feature allows you to push entries into whatever group you want. Simply drill down to:

Computer Configuration | Security Settings | Restricted Groups

Then, when prompted for which group to add, simply TYPE IN the name of the group you want to add. In this case, it's Administrators. Then, pick the Active Directory users you want to add, and add them to the Members of this group dialog. And, bang! Instant addition of user accounts to local administrator group.

Do note, however, that the Restricted Groups function is a "rip and replace" function -- meaning any administrators you have locally defined will be ripped out in lieu of what you put in this dialog box.

I recently set up a new Windows server 2003. I created a couple test users and put them in groups. I also created some GPOs and linked them. As far as I can tell everything is configured properly on the server side. My question is, when I log onto the domain from my test client computer, it does not pull down the GPO for the group they are in. I feel there is something I need to do on the client side, but I am not sure. How can I pull the GPO to the W2K client computer from AD?

JM: You said you linked the GPO to the correct location. But you didn't say to where. I'm guessing you linked the GPOs to a place that has no user or computer accounts; hence, you won't see much action. Or, maybe you created the GPO, but didn't actually link it anywhere. Don't feel bad though -- I make mistakes like this all the time. Be sure to click on the Scope tab using GPMC and look at the "Links" field to see, specifically, where the GPO is linked to. That should help you determine if you're really linked or not.

Jeremy Moskowitz, a Microsoft Most Valuable Professional (MVP) and Microsoft Certified Systems Engineer (MCSE), is an independent consultant and trainer for Microsoft Windows technologies. He runs two community forums, and, that answer tough questions about Group Policy and Windows/Linux integration. Jeremy's latest book, Windows and Linux Integration: Hands-on Solutions for a Mixed Environment (Sybex, 2005), is available at His popular book, Group Policy, Profiles, and IntelliMirror (Sybex, 2005) is available at

Dig Deeper on Windows systems and network management