Okay I'm kinda new to this GPO deployment stuff, so heres my newbie question - I did a search on this in this forum but people seem to gloss over really how this works.

My problem is I was working on getting the GPO deployment going yesterday. I created a new GPO for distribution to people who were members of a certain group. That worked a treat.

What I hadn't noticed was that the Authenticated Users was set to apply the GPO, so this morning when everybody logged in, they got the application rolled out. Oops!

So I quickly turned that off which stopped people from getting it from that point on, but I'm having troubles working out how to get it to uninstall on those who got in beforehand.

So I see I can move those computers from their OU to uninstall it, moving them out of the SOM, but that will be difficult in my environment.

Posts seem to suggest that be removing them from the group should uninstall it as well. I have tried denying group policy to Authenticated users, no dice. I can't really remove people from Authenicated Users anyway, so how do I best revoke this software????

0 Comments   [ + ] Show Comments


Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.


Well, when you create a new GPO for software assignment of an MSI I would recommend always checking the "uninstall this application when client falls out of scope", if this is not checked on a piece of software assigned via GPO, it'll just stay on the client PC regardless of whether the GPO ceases to apply to the given client. Assuming in your scenario that this option wasn't checked, (and therefore anybody who got it pushed is not going to have it pulled just because you've removed Auth Users from the scope) one way to remove it from client PCs now is to create a VB script that launches does a WSH run of an MSIEXEC statement like the following:
MSIEXEC /uninstall "<your MSI here>" /qn
Then put this VB script into the Startup script portion of a new GPO that applies against Auth Users and set a DENY on that same GPO against the group that you actually want to keep the application.
If you want an example of the VB code that could do this then post a reply asking me and I'll paste it into my reply.
Answered 05/12/2006 by: fosteky
Purple Belt

Please log in to comment
Thanks bloke,

That is very good advice, I will give it a go.

Answered 05/16/2006 by: theGrudge
Yellow Belt

Please log in to comment
If you're using SMS you can have several programs associated with one package. You could have an uninstall program (which you can create automatically by creating the package from an msi by definition). Then have another collection, remove them from the install collection, add them to the uninstall collection, setup an advertisement for the uninstall and there you have it. [;)]
Answered 07/31/2006 by: leegend
Orange Belt

Please log in to comment
Answer this question or Comment on this question for clarity