You can use Group Policy to assign or to publish software to users or computers in a domain. Additionally, it is useful to be able to deploy software based on group membership. A Group Policy object (GPO) is usually applied only to members of an organizational unit (OU) to which the GPO is linked. Because a user cannot be located in several OUs at the same time, you must be able to apply Group Policy settings outside the boundaries of OUs. This article describes how to have your software deployment policy applied to users who are not in an OU.
Assign a program to a group
Create a folder to hold the MSI package on a server. Share the folder by applying permissions that let users and computers read and run these files. Then, copy the MSI package files into this location.
From a Windows 2000-based computer in the domain, log on as a domain administrator, and then start Active Directory Users and Computers.
Note You can apply Group Policy settings to domains, sites, and OUs.
In Active Directory Users and Computers, right-click the container to which you want to link the GPO, click Properties, and then click the Group Policy tab.
Create a new GPO for installing your MSI package, and then give the new GPO a descriptive name.
While the new GPO is selected, click Edit. This starts the Group Policy Object Editor.
Open and then right-click Software installation in the GPO, and then click New Package.
You are prompted for the path of the Windows Installer file (.msi) for this package. View the network location that contains the Windows Installer file, click the file, and then click Open.
Warning If the Windows Installer file resides on the local hard disk, do not use a local path. Instead, use the UNC path of the local computer to indicate the location of the installation files. A UNC path takes the form \\servername\sharename\path\filename.msi.
When you are prompted to choose between Assigned and Advanced Published or Assigned, click Assigned unless you have to modify the advanced options. You should now see the software package in the details pane of the Group Policy Object Editor.
In Active Directory Users and Computers, click the container to which you linked your GPO. Right-click that container, click Properties, and then click the Group Policy tab.
Click your GPO, and then click Properties.
Click the Security tab, and then remove Authenticated Users from the list.
Click Add, and then select the security group which you plan to have this policy applied to add it to the list.
Select your security group, and then give them Read and "Apply Group Policy" permissions.
Changes to a GPO are not immediately applied on the target computers. Instead, changes are applied according to the current Group Policy update interval. You can use the Secedit.exe command-line tool to impose GPO settings upon a target workstation immediately. For more information about how to use Secedit.exe to force a Group Policy update, click the following article number to view the article in the Microsoft Knowledge Base:
227302 Using SECEDIT to force a Group Policy refresh immediately
For more information about how to deploy programs by using Group Policy, click the following article numbers to view the articles in the Microsoft Knowledge Base:
224330 Assigning a Windows Installer Package with minimal interaction
257718 How to create a third-party Microsoft Installer package (MSI)
278472 Packages assigned to computers with Group Policy are not installed
269732 How to obtain the Windows Installer Package (Update.msi) for Windows 2000 service packs
278503 Best practices for using Update.msi to deploy service packs