404 Tech Support

Using Group Policy to deploy software to select computers

Assigning software through Group Policy is traditionally thought of as a pretty simple and inexpensive way of automating the deployment of software to entire groups of computers. These groups are defined in the Active Directory (AD) and are more accurately called an Organizational Unit (OU). While it does not require the purchase of any additional software, there are a few downfalls to using Group Policy software deployment:

These downfalls are not that bad. You have to take extra steps and extra consideration if you do not receive the setup files in the form of a .MSI, but there are more and more tools coming available to deal with that.

The uninstall and re-install of software occurs at startup. If you are using any power management (Intel’s AMT or Wake-On-LAN) you can have the machines boot up hours before users arrive to have them updated and all the software installed.

Regarding installing software on an entire OU, the rest of this article shall hopefully guide you past the default settings and so you can specify which computers or security groups receive the software (remaining inline with your licenses).

Best practice would state to create a new Group Policy Object for each software installation you want to do. That will provide the greatest granularity for control while remaining easiest to understand. The GPO could be at the top-level OU since we’ll be specifying computers manually, it doesn’t really matter, but there’s no need to go any higher than necessary, but this all depends on your Active Directory structure. If the AD is configured to be a flat organization, you don’t really have a choice. If you have a tiered structure and only a sub-“folder” of ‘Employee Computers’ needs the software, you can just create the GPO at the ‘Employee Computers’ level.

Since a GPO takes immediate effect (plus the interval for your computers to refresh their policy), after creating it, you should unlink it so you can make changes and not worry about it affecting computers until it is finalized.

Assign the software to the OU

Create a new Group Policy at the OU level of the computers you want to install this software upon.

Edit the Policy with the Group Policy Object Editor. Right-click on Computer Configuration -> Software Settings -> Software installation and choose New package.
Browse to the .msi modified in the above steps and choose to open.
Choose an Advanced deployment method.
Under Deployment tab, check Uninstall this application when it falls out of the scope of management. (Optional, but it provides the ability to uninstall software from computers by simply removing them from those allowed to have the software.)
Hit Ok and close the Group Policy Object Editor.

Specify the Computers within the OU

In the Group Policy Management Console, choose the new GPO that you created from the tree in the left-pane.


In the right-pane, under the Scope tab and the section of Security Filtering:

Remove Authenticated Users.

Add computers or groups of computers that you want to receive this software.

From the screenshot two above you can see that I have added LIBSTFSYS05 to receive this Group Policy. For this example, that computer will be the only computer able to apply this Group Policy.

As soon as you have all the computers or groups added, enable the link. As machines are restarted they will receive the newly assigned software if they are in the Security Filtering list.

One other thing that might be of interest regarding filtering group policy to select computers is right below the Security filtering on the same page. If you maximize the window, you’ll be able to see WMI Filtering. WMI filtering allows you to choose computers based on their attributes, like version of Windows, timezone, and many other qualities. One word of caution is that Windows 2000 machines will completely ignore WMI filtering and apply the group policy regardless.

You can read more about WMI Filtering from Microsoft’s TechNet site.