I was curious how you all deal with this issue. When you create a new MSI package and deploy it by group policy the administrator group is in my security tab as full control. That means whoever is in the admin group will get the package. The problem is if the admin is on all the groups they get all the package.

How do most of you handle this? Do you take the admin group out and put another user group in that can modify the package if need be?

Hope this makes sense..
0 Comments   [ + ] Show Comments


Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.


Domain Admins, Enterpriceadmins, System

Should have Read, Write Create and Delete All Child objects, but not Apply Group Policy

You could make a deployment group say called appAdobeReader6.0

and to this group you give Apply Group Policy and Read.

IF you have to rip a package off one single member You can add this member and give this member Deny in the group policy security settings this will overrule any apply rights he might have elseware.

Members can be both computer name or Username.

When You add a new GPO normally Authenticated Users have rights to Read and Apply Group Policy You should remove Authenticated Users from having Read and Apply GPO.

Sweede [;)]
Answered 05/07/2004 by: Sweede
Second Degree Green Belt

Please log in to comment
Or you could create a seperate Organizational unit for the computer and user account of the administrator and select the Block Inheritance option in Group Policy for the OU.
Answered 05/27/2004 by: cdupuis
Third Degree Green Belt

Please log in to comment
i cannot find this " Apply Group Policy " where can you add this?
Answered 01/18/2008 by: MITSU
Yellow Belt

Please log in to comment
To add the deny "apply group policy" setting, you go to delegation of the GPO in GPMC, and choose advanced. Then you can change the settings of the different users / groups.
Answered 03/13/2008 by: eclipca
Senior Yellow Belt

Please log in to comment
Answer this question or Comment on this question for clarity