Deploy Office 2003 with Group Policy

paradigm · 12 Nov 2008 at 16:12

Hi Guys,

I posted this over at Experts Exchange, but typically no-one is actually an expert and as such no-one has answered my query.

Trying to push Office 2003 out to specific users through the use of Group Policy, and have been searching high and low for an answer to this to no avail.

I've got the MSI file modified by running "setup.exe /a" from the CD-ROM, and placed it into a globally accessible share. I've created a transform to weed out Access/InfoPoint/Publisher and set office up how I want it, and am at the stage of trying to assign it to the people I need to have it installed.

My problem lies with only giving office to people within the "Office 2003 Basic" Group within ADUC. I have an OU called "Software Deployment", containing another OU called "Office 2003". This "Office 2003" OU contains a User Group called "Office 2003 Users", which has 12 or so users whom are members (and need Office 2k3). Nothing ever gets installed at logon (I have the "install at logon" tickbox checked).

If I physically move users to be contained in the OU "Office 2003" then the software deploys absolutely fine (so I know the GPO is set up correctly).

Is there a way of pushing applications to Group Members?

Or am I barking up the wrong tree?

Cheers.

katana6434 · 12 Nov 2008 at 16:22

Not sure if I'm reading this right, but...

Which OU is the GPO on? If the GPO is on the OU Office 2003, then it will only install to users in this OU (and in any OU's conatined in this OU).

The best way to do this would be to put the GPO at the top level (i.e. domain level or at the highest level where you would cover all users), and then use security filtering to apply the GPO only to people in Office 2003 Basic Group.

I would also reccomend installing and using the Group Policy Management Console. It makes managing GPO's a lot easier than using ADUC.

Hope this helps.

paradigm · 12 Nov 2008 at 16:39

Imagine it like this:

domain.com > Software Distribution Groups (OU) > Microsoft (OU) > Office 2003 (OU) - This is where the Security Group is.

domain.com > Users (OU) > Department (OU) > Standard Users (OU) - This is where the users are.

Within this "Office 2003" OU, there is a Distribution Group called "Office 2003 Basic Users", the members of which I want to install Office 2003 with a transform applied to remove access etc (transform already set up and applied).

I am using GPMC to admin GPO's, which means I cannot choose where I create the GPO, it goes in "Group Policy objects" container, and only lets me link to GPOs at OU level.

katana6434 · 12 Nov 2008 at 16:53

OK.

With the GPO's I meant link... but, where have you linked the GPO to?

If you link the GPO at the Standard Users OU, then use security filtering to apply it only to the correct security group, then I see no reason why this shouldn't work.

paradigm · 12 Nov 2008 at 16:56

Well I tried having the GPO link at domain root level, and at the Office 2003 OU level. Not really wanting to put it at the Standard Users OU, as this would mean linking it 4 or 5 times for different departments, then multiple times for different levels of user (standard, supervisor, manager, etc).

I would have assumed linking at domain level, then setting "Office 2003 Basic Users" group to have "apply group policy" permissions would have done the trick, but alas no, it does nothing.

IAmATeaf · 12 Nov 2008 at 16:57

Don't think you can do the above. A GPO applies to either a Computer or User (or both) so linking the GPO to the Office 2003 OU and only having a Security Group under it will have no effect.

As pointed out bu katana6434 link the GPO to an OU where the users are (or higher) then use Security filtering to only apply the policy to the Office 2003 Basic Users group.

paradigm · 12 Nov 2008 at 17:00

So like I said, having at domain root level, and filtering it out as above has been tried.

It had no effect.

katana6434 · 12 Nov 2008 at 17:00

Not really wanting to put it at the Standard Users OU, as this would mean linking it 4 or 5 times for different departments, then multiple times for different levels of user (standard, supervisor, manager, etc).

You don't have to link it there, was just using it as an example. You can link it at the Users OU, then it will apply to everything below it (if they are in the security group that is).

Have you got any OU's blocking inheritance, so that people in the Standard Users Ou are not actually getting the GPO. If you click on the Standrad Users GPO in GPMC and click on the Group Policy Inheritance tab, is the GPO listed in there.

paradigm · 12 Nov 2008 at 17:04

I had nothing blocking policy inheritance, and yes, the GPO is listed for the OU.

I think I have found the problem, I had to set Computer Settings > Administrative Templates > System > Logon > Always Wait for the Network at Logon To be Enabled.

IAmATeaf · 12 Nov 2008 at 17:04

In GPMC if you click on the OU where the users are and then select the GP Inheritance tab does it list the GPO there?

katana6434 · 12 Nov 2008 at 17:05

So like I said, having at domain root level, and filtering it out as above has been tried.

It had no effect.

Check that none of the OU's between Domain Root and Standrad Users are blocking inheritance. The OU will have a little blue cirlce with an exclamation mark in it in the GPMC if it has. If this is the case you will have to enforce the office 2003 GPO.

katana6434 · 12 Nov 2008 at 17:07

Not quick enough with that reply there was I

I think I have found the problem, I had to set Computer Settings > Administrative Templates > System > Logon > Always Wait for the Network at Logon To be Enabled.

That could explain it. That would generally mean that the users are logging on before the network is fully up, hence they are not picking up the GPO's.

paradigm · 12 Nov 2008 at 18:39

Cheers Katana, you've been most helpful.

Just out of interest, did you see my RIS based question yesterday? Any thoughts?