Create a group to encapsulate the users (Local-Admins-Tablets) and add them to this group
Create a sub-OU of the current workstations OU and put the tablets in here (Workstations\Tablets)
Create a GPO (Local-Admins-Tablets-Policy) and link it to the Workstations\Tablets OU
In the GPO, set the following:
- Comp Config - Policies - Windows Settings - Security Settings - Restricted Groups
- Right click, Add Group
- "Administrators", OK
- Members of this Group: myDomain\Local-Admins-Tablets
Reboot the PCs, and done.
Bear in mind that setting Restricted Groups will overwrite the machines existing list of local Administrators. If you have other users/groups in there already, you will need to add them to this policy too. Other examples would be myDomain\Domain Admins etc
EDIT: Oh, and change the filtering on the GPO and add Domain Computers. The easiest way to do this is to use the Group Policy Management MMC snapin (you can get this from the Remote Server Administration Tools from Microsoft)
Diagnosing 'silent' MSI installation failures can be done like this:
Firstly, check your GPO is applying correctly. Use the Group Policy Management Console to run a report on a target machine, and view this report to check that the GPO that assigns the software installation is applying correctly. If this part isn't working right then there's no point in going any further. Both a fault in the GPO in question or in any other GPO that should be applied before or alongside it can cause a workstation to stop processing GPOs.
With that done, check the event logs on the target machine:
Open Computer management -> event viewer -> Windows Logs - Application
You're looking for errors with a source of MsiInstaller (and any other events that get logged at the same time of course).
Finally, a lot of applications record their own log as part of the installation process. If you can find the local folder that the MSI installation was ran from then there may be a detailed error log inside that (of course, if you can find errors in the windows event viewer then this will hopefully also mention the application logfile and tell you where to find it)
Also check that the following setting is being applied to the target computers via GPO, and if not, set it and then run gpupdate /force from a command line on a target computer, and reboot.
Computer Settings
-> Administrative Templates
-> System
-> Logon
-> Always wait for the network at computer startup and logon – Enabled
Best Answer
Check out this article, it should address your needs
http://blogs.technet.com/b/grouppolicy/archive/2009/07/30/security-filtering-wmi-filtering-and-item-level-targeting-in-group-policy-preferences.aspx
and like Joe said, yes you can use groups for computers as well