How do you keep the administrator from getting all packages?
Hello,
I was curious how you all deal with this issue. When you create a new MSI package and deploy it by group policy the administrator group is in my security tab as full control. That means whoever is in the admin group will get the package. The problem is if the admin is on all the groups they get all the package.
How do most of you handle this? Do you take the admin group out and put another user group in that can modify the package if need be?
Hope this makes sense..
I was curious how you all deal with this issue. When you create a new MSI package and deploy it by group policy the administrator group is in my security tab as full control. That means whoever is in the admin group will get the package. The problem is if the admin is on all the groups they get all the package.
How do most of you handle this? Do you take the admin group out and put another user group in that can modify the package if need be?
Hope this makes sense..
0 Comments
[ + ] Show comments
Answers (4)
Please log in to answer
Posted by:
Sweede
20 years ago
Domain Admins, Enterpriceadmins, System
Should have Read, Write Create and Delete All Child objects, but not Apply Group Policy
You could make a deployment group say called appAdobeReader6.0
and to this group you give Apply Group Policy and Read.
IF you have to rip a package off one single member You can add this member and give this member Deny in the group policy security settings this will overrule any apply rights he might have elseware.
Members can be both computer name or Username.
When You add a new GPO normally Authenticated Users have rights to Read and Apply Group Policy You should remove Authenticated Users from having Read and Apply GPO.
Sweede [;)]
Should have Read, Write Create and Delete All Child objects, but not Apply Group Policy
You could make a deployment group say called appAdobeReader6.0
and to this group you give Apply Group Policy and Read.
IF you have to rip a package off one single member You can add this member and give this member Deny in the group policy security settings this will overrule any apply rights he might have elseware.
Members can be both computer name or Username.
When You add a new GPO normally Authenticated Users have rights to Read and Apply Group Policy You should remove Authenticated Users from having Read and Apply GPO.
Sweede [;)]
Posted by:
cdupuis
20 years ago
Or you could create a seperate Organizational unit for the computer and user account of the administrator and select the Block Inheritance option in Group Policy for the OU.
Posted by:
eclipca
16 years ago
To add the deny "apply group policy" setting, you go to delegation of the GPO in GPMC, and choose advanced. Then you can change the settings of the different users / groups.
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.
