You (as an administrator) can use Group Policy to assign or to publish software to users or computers in a domain. Additionally, it is useful to be able to deploy software based on group membership. A Group Policy object (GPO) is usually applied only to members of an organizational unit (OU) to which the GPO is linked. Because a user cannot be located in several OUs at the same time, you must be able to apply Group Policy settings outside the boundaries of OUs. This article describes how to have your software deployment policy applied to users who are not in an OU.

Back to the top

Assign a program to a group

1.	Create a folder to hold the Windows Installer package on a server. Share the folder by applying permissions that let users and computers read and run these files. Then, copy the MSI package files into this location.
2.	From a Windows Server 2003-based computer in the domain, log on as a domain administrator, and then start Active Directory Users and Computers.
3.	In Active Directory Users and Computers, right-click the container to which you want to link the GPOs, and then click Properties.
4.	Click the Group Policy tab, and then click New to create a new GPO for installing the Windows Installer package. Give the new GPO a descriptive name.
5.	Click the new GPO, and then click Edit. The Group Policy Object Editor starts.
6.	Right-click the Software Settings folder under either Computer Configuration or User Configuration, point to New, and then click Package. Notes • The Software Settings folder under Computer Configuration contains software settings that apply to all users who log on to the computer. This folder contains software installation settings. It may also contain other settings that are put there by independent software vendors. • The Software Settings folder under User Configuration contains software settings that apply to users regardless of which computer they log on to. This folder also contains software installation settings. It may contain other settings that are put there by independent software vendors.
7.	In the Open dialog box, type the Universal Naming Convention (UNC) path of the Windows Installer file (.msi) for this package in the File name box, and then click Open. Note If the Windows Installer file resides on the local hard disk, do not use a local path. Instead, use the UNC path of the local computer to indicate the location of the installation files. A UNC path takes the form \\servername\sharename\path\filename.msi.
8.	In the Deploy Software dialog box, do one of the following: • Click Assigned to specify that the application is deployed as assigned and that default settings are used for deployment properties. • Click Advanced to specify that you are manually editing the package properties instead of accepting the defaults. You can also choose between assign and publish for the deployment method.
9.	When you are prompted to choose between Advanced and Assigned, click Assigned unless you have to modify the advanced options.
10.	Click OK. The software package appears in the details pane of the Group Policy Object Editor.
11.	Close the Group Policy Object Editor.
12.	In the GPO Properties dialog box, click the GPO, and then click Properties.
13.	Click the Security tab.
14.	Click Authenticated Users in the Group or user names list, and then click Remove.
15.	Click Add, select the security group that you want this policy applied to, and then click OK to add the security group to the list.
16.	Select the security group, and then under Permissions for Users, click to select the READ and the Apply Group Policy check boxes in the Allow column.
17.	Click Apply, click OK, click Apply, and then click OK.

Changes to a GPO are not immediately applied on the target computers. Instead, changes are applied according to the current Group Policy update interval. You can use the Secedit.exe command-line tool to impose GPO settings upon a target workstation immediately. For more information about how to use Secedit.exe, see the Windows Server 2003 Help and Support Center.

Back to the top