Excellent - Thanks for the tip. Very prompt as usual! Regards, Robert From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Monday, 8 September 2008 10:06 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: GPO S/W Deployments Not configured-since it's a policy, it will be removed during the next background refresh cycle. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Robert Mariani Sent: Sunday, September 07, 2008 5:03 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: GPO S/W Deployments Hi Darren, Since it the option to Always elevate has been set in around 25 GP's, should I set it to Disabled or just the default Not Configured in each of them? Robert From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Monday, 8 September 2008 9:53 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: GPO S/W Deployments Robert- That policy (Always install elevated) only applies to MSI installations that are un-managed (i.e. not deployed via GP). As such, its probably not a good idea, from a security perspective, to enable that policy unless you really really need to. Any software deployed via GP is automatically elevated (either per-computer or per-user). However, there are circumstances when settings within individual MSI packages will try to thwart this (e.g. by requiring that only administrators can install). But normally, GP-deployed packages are already elevated. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Robert Mariani Sent: Sunday, September 07, 2008 3:57 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] GPO S/W Deployments Hi All, I would like to ask the experts about GPO software deployments. Currently I have software being deployed via MSI/MST computer based GP's which are linked to the computers OU. In the GPO I have set Windows installer for standard logging and enabled "Always install with elevated privileges". Does having this privilege - even though only applied to the computer allow a user (who is just a domain user) to install software. I have only found conflicting advice using Google. Is this a recommended setting for deploying software? We only use computer targeted software deployments rather than publishing to a user. Regards, Robert Mariani Applications Manager -- The Buchan Group, Melbourne Architecture+Master Planning+Interiors+Graphics A 133 Rosslyn St West Melbourne Vic 3003 Australia GPO Box 4584 Melbourne Vic 3001 Australia W www.buchan.com.au <http://www.buchan.com.au/> This message is transmitted subject to our email policies and may only be relied on by an authorised recipient. Click on this link to view the policies: http://www.buchan.com.au/policies.htm