Question about removing a computer from a security group
We are deploying software via Active Directory and group policy in a windows xp and windows 2003 server environment.
We have created 2 software application groups:
1. SG APP DM with Active Integration
2. SG APP DM without Active Integration
In each group are computer machine names eg DWTING3
We are deploying computer based software:
DM with Active Integration -----> is deployed to the computer machine names in the group SG APP DM with Active Integration.
DM without Active Integration -----> is deployed to the computer machine names in the group SG APP DM without Active Integration.
Our user DWTING3 was originally placed into group #2 - SG APP DM without Active Integration.
My question:
If I remove the computer machine name DWTING3 from the SG APP DM without Active Integration group and place that machine name ie DWTING3 into the group SG APP DM with Active Integration will the following happen. In other words this is what I want to happen:
1. The DM without Active Integration software will be automatically removed from the DWTING3 machine next system reboot and the new DM with Active Integration software will be "pushed" by Active Directory to the newly placed DWTING3 in the group SG APP DM with Active Integration upon next reboot.
Is this the way this is supposed to work? If not, how can I get it to work this way if at all possible.
We have created 2 software application groups:
1. SG APP DM with Active Integration
2. SG APP DM without Active Integration
In each group are computer machine names eg DWTING3
We are deploying computer based software:
DM with Active Integration -----> is deployed to the computer machine names in the group SG APP DM with Active Integration.
DM without Active Integration -----> is deployed to the computer machine names in the group SG APP DM without Active Integration.
Our user DWTING3 was originally placed into group #2 - SG APP DM without Active Integration.
My question:
If I remove the computer machine name DWTING3 from the SG APP DM without Active Integration group and place that machine name ie DWTING3 into the group SG APP DM with Active Integration will the following happen. In other words this is what I want to happen:
1. The DM without Active Integration software will be automatically removed from the DWTING3 machine next system reboot and the new DM with Active Integration software will be "pushed" by Active Directory to the newly placed DWTING3 in the group SG APP DM with Active Integration upon next reboot.
Is this the way this is supposed to work? If not, how can I get it to work this way if at all possible.
0 Comments
[ + ] Show comments
Answers (4)
Please log in to answer
Posted by:
brenthunter2005
18 years ago
That is correct, it can work that way. But unfortunately with Active Directory you are unable to ensure the correct order of installation/uninstallation.
The best method would be to make the "SG APP DM without Active Integration" MSI package upgrade the "SG APP DM with Active Integration". Otherwise the "SG APP DM with Active Integration" could possible install over the "SG APP DM without Active Integration" causing problems.
The best method would be to make the "SG APP DM without Active Integration" MSI package upgrade the "SG APP DM with Active Integration". Otherwise the "SG APP DM with Active Integration" could possible install over the "SG APP DM without Active Integration" causing problems.
Posted by:
revizor
18 years ago
Our user DWTING3
I take it, DWTING3 is a computer, not a user - right?
Regarding removal of software when computer is taken out of the group, you can control this behavior through specifying setting "Uninstall this application when it falls out of scope of management".
Or, better, follow brenthunter2005's advice about specifying upgrade (replace) relationship between the packages - this way you won't end up with both pieces of software on the same box.
Also, "next reboot" is a very strechable concept when it comes to Windows XP workstations. There are settings you can apply to make it work the same way like Windows 2K used to. To be safe, you can reword as "after several (1,2...x) reboots".
To brenthunter2005: the sequence of installation of software packages follows the same logic as the precedence of Group Policies. Inside the same Group Policy, from what I can conclude, the sequence of packages within the scope of management basically reflects the sequence of addition of packages to the policy.
Posted by:
AngelD
18 years ago
By using ASSM (Assigned Software Sequence Manager) from http://www.sywan.nl you can change the application order in a single GPO. In that way you can make sure the "uninstallation" (Uninstall this application when it falls out of scope of management) comes before the installation of the new/other application.
Posted by:
brenthunter2005
18 years ago
You can actually do this, without using any additional software, by modifying the date/time stamp of the AAS file in the policy located on your domains sysvol share.
Rating comments in this legacy AppDeploy message board thread won't reorder them,so that the conversation will remain readable.
