none
AD GPO Software Installation User Configuration

    Question

  • Hi gurus!

    So, Network Admin student here, and I have an AD GPO software installation question.

    I have installed AD and am trying to deploy a software program to a specific AD group.  Now, I have deployed it successfully and it shows up, however, if I log in under a different user name not part of the AD group, it still shows up on the desktop. 

    My question is, is there a way to have a software installation only show up on the desktops of the members of the group that I have deployed the software to? Or is it once I have installed it from the specific group, it becomes visible on the desktop to every person in the group?

    I am currently running server Windows Server 2012 R2 as my server.

    *Note, so far, the copmuter I am testing my configuration on is also a 2012R2 DC of a sub-domain in the forest, but upon trying it out on a domain-joined computer runing 8.1, I still get the same results, the desktop is the same as any other user, and there is no difference (all desktops, no matter what user, have the same configuration/look). 

    Steps I have taken:

    In my GPO I have the software installation on the user configuration node, NOT the computer configuration node. I have also disabled the computer configuration for this specific GPO.

    In my scope tab of the GPO, currently, I have Authenticated Users and the AD group name as the only two listed in the Security filtering.

    Under the delegation tab, I have Authenticated users (read from security filtering), the AD group (read from security filtering), Domain Admins, Enterprise Admins, and SYSTEM (all with edit settings, delete and modify security) and finally I have Domain Controller (as read). 

    I have done a gpupdate /force command on both the DC (xxxxxxx.org) and the computer that I'm testing the user settings on. 

    Thanks in advance for any and all answers, as I can't find anything so far in my research for this problem

    Tuesday, September 13, 2016 8:23 PM

Answers

  • ..I have an AD GPO software installation question.

    I have installed AD and am trying to deploy a software program to a specific AD group.  Now, I have deployed it successfully and it shows up, however, if I log in under a different user name not part of the AD group, it still shows up on the desktop. 

    My question is, is there a way to have a software installation only show up on the desktops of the members of the group that I have deployed the software to? Or is it once I have installed it from the specific group, it becomes visible on the desktop to every person in the group?

    So, the feature is AD GPSI. (heavy emphasis on the I  ;)

    Once software installation is initiated, the actual software install database (MSI file etc) determines what happens next.
    In your scenario, it sounds like the software is installing for all users, rather than per-user. This is the most common outcome, in my experience.

    So, the software product is installed for all users of the given computer, and is therefore available to all users of the computer, and the software installer probably placed shortcuts onto the All Users Start Menu and maybe also the All Users Desktop folder, so that all users may easily see that the software is installed and may access the software.

    Group Policy Software Installation doesn't really have any control over that outcome - it's completely dependent upon the MSI author to decide what the installation outcome looks like. Installing for allusers is what most everything commercially available does these days, in my experience.

    A lot of documentation for GPSI (intellimirror) talks about the per-user and per-computer concepts, but, the per-user stuff is clunky and not used a lot these days, in my experience.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Tuesday, September 13, 2016 9:39 PM
  • Hi Brenden,
    As far as I know, if a software is installed for all users, it gets put in the regular "Program Files" folders, located in the root of the C:\ drive- and any user on that computer that can access said C:\ drive can run the applications installed onto it.
    If you install a software for a user, it generally gets placed in the user profile; in the AppData folder, or in other locations. Because these user profile folders are only accessible to the one who owns them, other users cannot use the software within these folders.
    Because of this, in my opinion, you could have a try to change a software install from being accessible by specific users by moving the folder that the software is located in out of its original install location and into the appropriate user drive folder.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 14, 2016 7:41 AM
    Moderator
  • Got is GPSI.. not GPO Software Installation. Thanks, I don't want to sound like a nimrod. 

    I was just trying to emphasise the 'Install" piece, i.e. GP kicks off the installer, but what happens after that (i.e. what junk lands where on the pc) is out of the control of GP, it's up to the logic embedded within the MSI file, which is determined by the author of the MSI file.

    sorry if I came over as a pedant, not what I intended


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Wednesday, September 14, 2016 8:51 AM
  • As far as is goes for my question tho, from what I'm comprehending from your answer, I'm basically up that creek without a paddle for as much as customizing desktops through GPSI, correct? 

    I was attempting to push out a free VLC download which I had converted to a .msi file for the GPSI to work. It worked successfully, but then its on every user's desktop. Not a problem, like I said, I'm in school and just trying to learn the ins and outs of this particular "deployment" strategy.

    Is there a better way to do what I'm trying to do? Would an application server be better? Or am I just going to have to learn to deal and that't that?

    GPSI isn't terribly flexible, but that's kind of the MSFT way, to give a basic feature (better than nothing), but to leave the more flexible/powerful features/functions for other products/vendors to deliver.

    if you are re-wrapping some-other-installer-engine inside of an MSI, the MSI engine isn't going to be able to do much other than to drop-and-run. the inside-layer installer-engine (NSIS or whatever) is still going to be in charge of what gets placed where.

    Or there is re-packaging as an approach, where you basically reverse-engineer (by observation and intuition) what the original installer engine is doing. tricky. fraught with dangerous assumptions, etc.

    some software vendors offer detailed customisation/config methods for use with their installers, giving you options like shortcut placement, unattended installation, etc.

    welcome to the dark arts :)

    itninja.com (formerly appdeploy.com) has a lot of packaging/installing/deployment tips and recipes, so before you dive into re-wrapping or re-packaging, check it out first, someone else has probably already covered the ground, or you can pick up techniques for re-use.

    per-user vs. per-machine, is a fairly general concept. some products only do per-machine, but others do offer per-user.
    an example of that might be Google Chrome browser, which can be installed in either mode. If you have shared pc's, per-user mode can get messy, you end up with 15 users of the same pc, each with a copy of chrome, each of those handling self-auto-update, makes the disk messy and lots of duplication and traffic etc.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Wednesday, September 14, 2016 9:05 AM

All replies

  • ..I have an AD GPO software installation question.

    I have installed AD and am trying to deploy a software program to a specific AD group.  Now, I have deployed it successfully and it shows up, however, if I log in under a different user name not part of the AD group, it still shows up on the desktop. 

    My question is, is there a way to have a software installation only show up on the desktops of the members of the group that I have deployed the software to? Or is it once I have installed it from the specific group, it becomes visible on the desktop to every person in the group?

    So, the feature is AD GPSI. (heavy emphasis on the I  ;)

    Once software installation is initiated, the actual software install database (MSI file etc) determines what happens next.
    In your scenario, it sounds like the software is installing for all users, rather than per-user. This is the most common outcome, in my experience.

    So, the software product is installed for all users of the given computer, and is therefore available to all users of the computer, and the software installer probably placed shortcuts onto the All Users Start Menu and maybe also the All Users Desktop folder, so that all users may easily see that the software is installed and may access the software.

    Group Policy Software Installation doesn't really have any control over that outcome - it's completely dependent upon the MSI author to decide what the installation outcome looks like. Installing for allusers is what most everything commercially available does these days, in my experience.

    A lot of documentation for GPSI (intellimirror) talks about the per-user and per-computer concepts, but, the per-user stuff is clunky and not used a lot these days, in my experience.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Tuesday, September 13, 2016 9:39 PM
  • Got is GPSI.. not GPO Software Installation. Thanks, I don't want to sound like a nimrod. 

    As far as is goes for my question tho, from what I'm comprehending from your answer, I'm basically up that creek without a paddle for as much as customizing desktops through GPSI, correct? 

    I was attempting to push out a free VLC download which I had converted to a .msi file for the GPSI to work. It worked successfully, but then its on every user's desktop. Not a problem, like I said, I'm in school and just trying to learn the ins and outs of this particular "deployment" strategy.

    Is there a better way to do what I'm trying to do? Would an application server be better? Or am I just going to have to learn to deal and that't that?

    Thanks!

    Brenden 

    Tuesday, September 13, 2016 10:13 PM
  • Hi Brenden,
    As far as I know, if a software is installed for all users, it gets put in the regular "Program Files" folders, located in the root of the C:\ drive- and any user on that computer that can access said C:\ drive can run the applications installed onto it.
    If you install a software for a user, it generally gets placed in the user profile; in the AppData folder, or in other locations. Because these user profile folders are only accessible to the one who owns them, other users cannot use the software within these folders.
    Because of this, in my opinion, you could have a try to change a software install from being accessible by specific users by moving the folder that the software is located in out of its original install location and into the appropriate user drive folder.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 14, 2016 7:41 AM
    Moderator
  • Got is GPSI.. not GPO Software Installation. Thanks, I don't want to sound like a nimrod. 

    I was just trying to emphasise the 'Install" piece, i.e. GP kicks off the installer, but what happens after that (i.e. what junk lands where on the pc) is out of the control of GP, it's up to the logic embedded within the MSI file, which is determined by the author of the MSI file.

    sorry if I came over as a pedant, not what I intended


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Wednesday, September 14, 2016 8:51 AM
  • As far as is goes for my question tho, from what I'm comprehending from your answer, I'm basically up that creek without a paddle for as much as customizing desktops through GPSI, correct? 

    I was attempting to push out a free VLC download which I had converted to a .msi file for the GPSI to work. It worked successfully, but then its on every user's desktop. Not a problem, like I said, I'm in school and just trying to learn the ins and outs of this particular "deployment" strategy.

    Is there a better way to do what I'm trying to do? Would an application server be better? Or am I just going to have to learn to deal and that't that?

    GPSI isn't terribly flexible, but that's kind of the MSFT way, to give a basic feature (better than nothing), but to leave the more flexible/powerful features/functions for other products/vendors to deliver.

    if you are re-wrapping some-other-installer-engine inside of an MSI, the MSI engine isn't going to be able to do much other than to drop-and-run. the inside-layer installer-engine (NSIS or whatever) is still going to be in charge of what gets placed where.

    Or there is re-packaging as an approach, where you basically reverse-engineer (by observation and intuition) what the original installer engine is doing. tricky. fraught with dangerous assumptions, etc.

    some software vendors offer detailed customisation/config methods for use with their installers, giving you options like shortcut placement, unattended installation, etc.

    welcome to the dark arts :)

    itninja.com (formerly appdeploy.com) has a lot of packaging/installing/deployment tips and recipes, so before you dive into re-wrapping or re-packaging, check it out first, someone else has probably already covered the ground, or you can pick up techniques for re-use.

    per-user vs. per-machine, is a fairly general concept. some products only do per-machine, but others do offer per-user.
    an example of that might be Google Chrome browser, which can be installed in either mode. If you have shared pc's, per-user mode can get messy, you end up with 15 users of the same pc, each with a copy of chrome, each of those handling self-auto-update, makes the disk messy and lots of duplication and traffic etc.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Wednesday, September 14, 2016 9:05 AM