/build/static/layout/Breadcrumb_cap_w.png

How do you keep the administrator from getting all packages?

Hello,
I was curious how you all deal with this issue. When you create a new MSI package and deploy it by group policy the administrator group is in my security tab as full control. That means whoever is in the admin group will get the package. The problem is if the admin is on all the groups they get all the package.

How do most of you handle this? Do you take the admin group out and put another user group in that can modify the package if need be?

Hope this makes sense..

0 Comments   [ + ] Show comments

Answers (4)

Posted by: Sweede 20 years ago
Second Degree Green Belt
0
Domain Admins, Enterpriceadmins, System

Should have Read, Write Create and Delete All Child objects, but not Apply Group Policy

You could make a deployment group say called appAdobeReader6.0

and to this group you give Apply Group Policy and Read.

IF you have to rip a package off one single member You can add this member and give this member Deny in the group policy security settings this will overrule any apply rights he might have elseware.


Members can be both computer name or Username.

When You add a new GPO normally Authenticated Users have rights to Read and Apply Group Policy You should remove Authenticated Users from having Read and Apply GPO.


Sweede [;)]
Posted by: cdupuis 20 years ago
Third Degree Green Belt
0
Or you could create a seperate Organizational unit for the computer and user account of the administrator and select the Block Inheritance option in Group Policy for the OU.
Posted by: MITSU 16 years ago
Yellow Belt
0
i cannot find this " Apply Group Policy " where can you add this?
Posted by: eclipca 16 years ago
Senior Yellow Belt
0
To add the deny "apply group policy" setting, you go to delegation of the GPO in GPMC, and choose advanced. Then you can change the settings of the different users / groups.
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ