How to assign software to a specific group by using a Group Policy (302430)

SUMMARY

You can use group policies to assign or publish software to users or computers in a domain, and it is useful to be able to deploy software based on group membership. Group Policy Objects (GPOs) are normally applied only to members of organizational units (OUs)to which the GPO is linked. Because users cannot be located in several OUs at one time, it is necessary to be able to apply group policies outside of the boundaries of OUs. This article describes how to have your software deployment policy applied to users who are not in a respective OU.

back to the top

Assign a Program to a Group

1. Create a folder to hold the MSI package on a network server. Share the folder with appropriate permissions to allow the users and computers to read and run these files, and then copy the MSI package files into this location.
2. From a Windows 2000-based computer in the domain, log on as a domain administrator, and then start the Active Directory Users and Computers snap-in.
   
   NOTE: You can apply group policies to domains, sites, and OUs.
3. From the Active Directory Users and Computers snap-in, click the container you want to have the GPO linked to. Right-click that container, click Properties, and then click the Group Policy tab.
4. Create a new GPO for installing your MSI package, and give the new GPO a descriptive name.
5. While the new GPO is selected, click Edit. This starts the Group Policy snap-in and lets you edit this GPO.
6. Open and then right-click Software installation in the GPO, and then click New Package.
7. You are prompted for the path to the Windows Installer file (.msi) for this package. View the network location that contains the Windows Installer file, click the file, and then click Open.
   
   WARNING: If the Windows Installer file resides on the local hard disk, do not use a local path, instead, use a UNC path (such as \\servername\sharename\path\filename.msi) back to the local computer to indicate the location of the installation files. Otherwise, client computers that try to install the package will look on their local hard disks in the location that was indicated, and will not find the installation files at that location, so the installation does not work.
8. When you are prompted to choose between Assigned and Advanced Published or Assigned, click Assigned unless you have the experience and need to modify the advanced options. You should now see the software package in the right pane of the Group Policy snap-in.
9. From the Active Directory Users and Computers snap-in, click the container to which you linked your GPO. Right-click that container, click Properties, and then click the Group Policy tab.
10. Click your GPO, and then click Properties.
11. Click the Security tab, and then remove Authenticated Users from the list.
12. Click Add, select the security group which you plan to have this policy applied to add it to the list.
13. Select your security group, and then give them READ and Apply Group Policy permissions.

Changes to a GPO are not immediately imposed upon the target computers, but are applied in accordance with the currently valid group-policy refresh interval. You can use the Secedit.exe command-line tool to impose GPO settings upon a target workstation immediately. See the references section below for information about using Secedit.exe.

back to the top