Some initial background:

We have about 250 staff using Windows XP SP-2. We are using Windows 2003 servers.

We have 1 major Group Policy object in Active Directory for software deployment it is called BCSCNet Global Policy.

We are deploying (assigning) all software to computers only within the this 1 BCSCNet Global Policy. No publishing to users.

Some of our packages are deployed to all computers (e.g Microsoft Office 2003, Lotus Notes, etc).

When I add these packages to the group policy and I examine the "security tab" it says authenticated users - ie next reboot
of all computers these packages will be deployed - that is just fine.

Some of the software packages (e.g Adobe Acrobat Professional 7.0) is only going to a specific group of computers.

I therefore have setup a series of software application groups in Active Directory e.g SG APP Adobe Acrobat Professional 7.0.

In this group I have added the computer names that will need this software e.g


When I assign Adobe Acrobat Professional 7.0 in Active Directory I go to the security tab and remove the authenticated users and add
my special group SG APP Adobe Acrobat Professional 7.0. I give this group read access permissions.

Now when Computers1,2,3,4,5,6 are restarted Adobe Acrobat Professional 7.0 is deployed to their computer - just as I expected. So far
everything is working fine.

A few weeks latter, it is decided that Computer6 no longer needs Adobe Acrobat Professional 7.0. I go into my SG APP Adobe Acrobat Professional 7.0
group and remove Computer6 from the group.

I then do a gpupdate on Computer6 and restart. What I think should happen - ie automatic uninstall of Adobe Acrobat Professional 7.0 "does not" happen.

What am I doing wrong?

Of note, in the Deployment Tab for all of our software (including Adobe Acrobat Professional 7.0) we have chosen "not" to tick the box
"Uninstall This Application When It Falls out of the Scope of Management". My understanding is that this applies when a user or computer is removed
from the group policy object in which it resides. In our environment, we have "1" and only 1 group policy object for software deployment. We are not actually
removing the computer from this group policy object - just removing its membership within an application group.

Can you assist me with some understanding about "this" tick box. We want to be able to automatically "uninstall" software from our groups- just like the
scenario outlined above.

As I said we have 1 group policy object for software deployment - BCSCNet Global Policy. In BCSCNet Group Policy we are pushing out all of our software
packages - some to all computers, some to only a specific subset of computers.

I have seen where some people have suggested creating special group policy objects for each software package - eg. BCSCNet Adobe Acrobat Professional,
BCSCNet Adobe Photoshop, etc, etc. Is this a better way to provide more "granularity" in software deployment.

In any event I hope this long winded message makes sense.
0 Comments   [ - ] Hide Comments


Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
Answer this question or Comment on this question for clarity


Hi John,
in MS words: This is is not a bug, but a feature :-) This behaviour is like its intended.
To achieve your goal, you have to check the "Uninstall This Application When It Falls out of the Scope of Management" box. I consider this one of the more self explaining checkboxes on MS-Systems. :-)
But the worst thing you got here, is the one and only GPO for SW deployment. This is very, very unflexible in many ways.
And their is no benefit at all for that.
With this, you can remove the GPO from a computer and the app is gone.
What are you doing, when you have to reapply just one app?
In the past, we had some GPO's with more than one app on it too and we are moving away from that, as fast as possible.
Hope this helps a bit.
Regards, Nick
Answered 10/19/2006 by: nheim
Tenth Degree Black Belt

Please log in to comment
Move to GPO forum?
Answered 10/20/2006 by: turbokitty
Sixth Degree Black Belt

Please log in to comment