none
Need to Install Software via a User Security Group

    Question

  • I need clarification:

    I need to deploy an .msi through group policy to a USER Security Group in our domain. I cannot do it via computer-side OU since the users needing the software are all over our domain, and the computers are not grouped properly for this scenario.

    It appears that you can deploy software and it will only run for the USER Security Group you designate, when a member of that group logs into a PC.

    The documentation I see doesn't clarify if this should be deployed via the Computer-side or User-side Software Installation settings. It seems to me that this would only work on the user-side of Software Installation since the computer-side runs before users authenticate.

    Can this be done via both computer-side and user-side, or no? I've tried both, and still no luck. I've removed authenticated users and added my security group and checked the security settings to be sure 'allow group policy' is checked.

    Any help would be appreciated. I typically deploy software by OU on the computer-side. This is my first foray into user-side installations. I must be missing something.

    Thanks

    Saturday, February 06, 2016 3:57 PM

Answers

  • Hello,

    There are two ways to deploy software to users:

    1. Assigning software to be available on demand

    After you assign a software package to users in a site, domain, or OU, the software is advertised on the desktop. The application becomes available to the user the next time the user logs on (if application’s GPO applies to that user). The application is fully installed by the user from the Start menu, from Add or Remove Programs, from a desktop shortcut, or by opening a document (on demand) that has a file name extension that is associated with the application.

    The user can remove the software, and then later choose to reinstall it as they did previously. By using Group Policy, you make sure that assigned applications that are available on-demand are available, regardless of whether users remove them, and that the applications are available again the next time the user logs on or starts the computer.

    2. Assigning software to users   

    After you assign a software package to users in a site, domain, or OU, you can use the Install this application at logon option to install the whole application the next time the computer starts, or after the user logs off and then logs on again. The application is also immediately available in Add or Remove Programs.

    The user can remove the software, and then later choose to reinstall it as they did previously.

    After you creating the software deployment GPO, apply it to the OU where your users reside in, and under security tab for the GPO, remove Authenticated Users from the list. And add the security group which you plan to have this policy applied to.

    Regards,

    Yan Li


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 09, 2016 2:44 AM
    Moderator

All replies

  • Hi, To assign software applications to computers, in the console tree expand Computer Configuration\Policies . To assign or publish software applications to users, in the console tree expand User Configuration\Policies. Generally, if the software is static (used consistently at one or many locations), large, or requires regular updates – deploy it on the computer side. If the software is small and used by specific users, deploy it on the user side. Hope this help. -Tomi

    Tomi Pietilä, Blog, Twitter

    Saturday, February 06, 2016 5:35 PM
  • Excellent. This is for specific users. So I'll apply it user-side. And user security groups are a valid way to apply to users? Any tricks to that?
    Sunday, February 07, 2016 12:17 AM
  • Hello,

    There are two ways to deploy software to users:

    1. Assigning software to be available on demand

    After you assign a software package to users in a site, domain, or OU, the software is advertised on the desktop. The application becomes available to the user the next time the user logs on (if application’s GPO applies to that user). The application is fully installed by the user from the Start menu, from Add or Remove Programs, from a desktop shortcut, or by opening a document (on demand) that has a file name extension that is associated with the application.

    The user can remove the software, and then later choose to reinstall it as they did previously. By using Group Policy, you make sure that assigned applications that are available on-demand are available, regardless of whether users remove them, and that the applications are available again the next time the user logs on or starts the computer.

    2. Assigning software to users   

    After you assign a software package to users in a site, domain, or OU, you can use the Install this application at logon option to install the whole application the next time the computer starts, or after the user logs off and then logs on again. The application is also immediately available in Add or Remove Programs.

    The user can remove the software, and then later choose to reinstall it as they did previously.

    After you creating the software deployment GPO, apply it to the OU where your users reside in, and under security tab for the GPO, remove Authenticated Users from the list. And add the security group which you plan to have this policy applied to.

    Regards,

    Yan Li


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, February 09, 2016 2:44 AM
    Moderator