1. Steps to Deploy Software with Group Policy
The tasks for deploying software with Group Policy are as follows:
1. | Plan and prepare the software deployment.
| 2. | Set up an SDP.
| 3. | Create a GPO and a GPO console for software deployment.
| 4. | Specify the software deployment properties for the GPO.
| 5. | Add Windows Installer packages to the GPO, and select a package deployment method.
| 6. | Set Windows Installer package properties.
|
2. Planning and Preparing a Software Deployment
Before
you can begin deploying software with Group Policy, you must plan the
deployment. When planning for software deployment, you should
Review
your organization’s software requirements on the basis of your overall
organizational structure within Active Directory and your available GPOs Determine how you want to deploy your applications Create a pilot to test how you want to assign or publish software to users or computers Prepare
your software using a format that allows you to manage it based on what
your organization requires, and test all Windows Installer packages or
repackaged software Gather the Windows
Installer packages (.msi files) for the software. Perform any necessary
modifications to the packages and gather the transform (.mst) or patch
(.msp) files
Table 1
describes strategies and considerations for deploying software. Some of
these strategies might seem contradictory, but select the strategies
that meet your business goals.
Table 1. Strategies and Considerations for Deploying Software| Strategy | Considerations |
|---|
| Create OUs based on software management needs. | Allows
you to target applications to the appropriate set of users. Group
Policy security settings are not required to target the appropriate set
of users. | | Deploy software close to the root in the Active Directory tree. | Makes
it easy to provide all users in an organization with access to an
application. This reduces administration because you can deploy a
single GPO rather than having to re-create a GPO in multiple containers
deep in the Active Directory tree. | | Deploy multiple applications with a single GPO. | Reduces
administration overhead by allowing you to create and manage a single
GPO rather than multiple GPOs. The logon process is faster because a
single GPO deploying 10 applications processes faster than 10 GPOs,
each deploying one application. This strategy is appropriate in
organizations where users share the same core set of applications. | | Publish or assign an application only once in the same GPO or in a series of GPOs that might apply to a single user or computer. | Makes it easier to determine which instance of the application applies to the user or computer. |
Note Software
licenses are required for software written by independent software
vendors and distributed using SDPs. It is your responsibility to match
the number of users who can access software to the number of licenses
you have on hand. It is also your responsibility to verify that you are
working within the guidelines provided by each independent software
vendor with the software. |
3. Setting Up an SDP
After
you have planned and prepared for software management, the next step is
to copy the software to one or more SDPs, network locations from which
users are able to get the software that they need.
To set up an SDP, complete the following steps:
1. | Create
the folders for the software on the file server that will be the SDP,
and make the folders network shares—for example:
\\servername\sharename\.
| 2. | Copy the software, packages, modifications, all necessary files, and components to a folder on the SDP.
Note Some
software supports special commands to facilitate the creation of an
SDP. For example, Office XP should be prepared by running setup /a
from a command prompt. This allows you to enter the software key once
for all users, and to enter the network share (SDP) location to copy
the files to. Other software might have other ways to expand any
compressed files from the distribution media and transfer the files to
the appropriate location. |
| 3. | Set
the appropriate permissions on the folders. Administrators must be able
to change the files (Full Control), and users must only view (Read) the
files from the SDP folders and shares. Use Group Policy to manage the
software within the appropriate GPO.
|
|
The
Microsoft Distributed File System (DFS) provides users with convenient
access to shared folders that are distributed throughout a network.
With DFS, you can make files distributed across multiple servers appear
to users as if they reside in one place on the network. For a software
deployment with Group Policy, you can set up DFS to automatically
direct users to the nearest SDP. Configuring DFS to manage SDPs is
beyond the scope of this training kit. You can find detailed
information about configuring DFS in the Microsoft Windows Server 2003 Resource Kit from Microsoft Press.
|
4. Creating a GPO and a GPO Console for Software Deployment
In
this step, you create a GPO and a GPO console for the software
deployment.
5. Specifying Software Deployment Properties for the GPO
In
this step, you define the default settings for all Windows Installer
packages in the GPO in the Software Installation Properties dialog box.
The Software Installation Properties dialog box consists of the
following tabs—General, Advanced, File Extensions, and Categories.
In the General and Advanced tabs, you specify how you want all Windows Installer packages in the GPO to be deployed and managed.
In
the File Extensions tab, you specify which application users install
when they select a file with an unknown extension. You can also
configure a priority for installing applications when multiple
applications are associated with an unknown file extension.
For
example, if you use a GPO to deploy both Microsoft Office XP
Professional and Microsoft FrontPage 2002, both applications can edit
Spreadsheet Load Library files with the .sll extension. To configure
the file extension priority so that users who are managed by this GPO
always install FrontPage, set FrontPage as the application with the
highest priority for the .sll extension. When a user managed by this
GPO who has installed neither Microsoft Word 2002 nor FrontPage 2002
receives an .sll file (by e-mail or other means) and double-clicks the
.sll file, Software Installation installs FrontPage 2000 and opens the
.sll file for editing. Without Software Installation, the user would
see the Open With dialog box and be asked to select the best
alternative from the software already present on his or her computer.
File extension associations are managed on a per-GPO basis. Changing
the priority order in a GPO affects only users who have that GPO
applied to them.
In the Categories tab,
you can designate categories for organizing assigned and published
applications to make it easier for users to locate the appropriate
application from within Add Or Remove Programs in Control Panel.
Note Some
settings in the Software Installation Properties dialog box can be
fine-tuned at the package level by editing the Properties dialog box
for a specific Windows Installer package. |
To specify software deployment properties for the GPO, complete the following steps:
1. | Open the GPO console for the software deployment.
| 2. | In the User Configuration or Computer Configuration node, right-click the Software Installation node and then click Properties.
| 3. | In the General tab of the Software Installation Properties dialog box (shown in Figure 1),
type the Uniform Naming Convention (UNC) path (\\servername\sharename)
to the SDP for the Windows Installer packages (.msi files) in the GPO
in the Default Package Location box.
| 4. | In the New Packages section, select one of the following options:
Display
The Deploy Software Dialog Box, which specifies that when you add new
packages to the GPO, the Deploy Software dialog box will display,
allowing you to choose whether to assign, publish, or configure package
properties. This is the default setting. Publish,
which specifies that when you add new packages to the GPO, they will be
published by default with standard package properties. Packages can be
published only to users, not computers. If this is an installation
under the Computer Configuration node of the Group Policy Object Editor
console, the Publish choice is unavailable. Assign,
which specifies that when you add new packages to the GPO, they will be
assigned by default with standard package properties. Packages can be
assigned to users and computers. Advanced,
which specifies that when you add new packages to the GPO, the
Properties dialog box for the package will display, allowing you to
configure all properties for the package.
| 5. | In the Installation User Interface Options section, select one of the following options:
Basic, which provides only a basic display for users during the installation of all packages in the GPO. Maximum, which provides all installation messages and screens for users during the installation of all packages in the GPO.
| 6. | Click the Advanced tab. In the Advanced tab, shown in Figure 2, select any of the following options to be applied to all packages in the GPO:
Uninstall
The Applications When They Fall Out Of The Scope Of Management, which
removes the application if it no longer applies to users or computers. Off the Record In
rare instances, when applications installed with Software Installation
cannot be uninstalled by using Group Policy or Add/Remove Programs, you
can use the Msicuu.exe (Windows Installer Cleanup Utility) or the
Msizap.exe (Windows Installer Zapper) programs. Msicuu and Msizap
remove registry entries from a faulty installation. These utilities are
part of the Windows Support Tools on the Windows Server 2003 CD in the
Support\Tools folder. Msicuu is a graphical utility and Msizap is the
command line version. MSICUU uses MSIZAP to remove applications. For
detailed information about using these commands, refer to the Support
Tools Help. |
Include
OLE Information When Deploying Applications, which specifies whether to
deploy information about Component Object Model (COM) components with
the package. Make 32-Bit X86 Windows
Installer Applications Available To Win64 Machines, which specifies
whether 32-bit Windows Installer Applications (.msi files) can be
assigned or published to 64-bit computers. Make
32-Bit X86 Down-Level (ZAP) Applications Available To Win64 Machines,
which specifies whether 32-bit application files (.zap files) can be
assigned or published to 64-bit computers.
| 7. | Click the File Extensions tab. In the File Extensions tab, shown in Figure 3,
select the file extension for which you want to specify an automatic
software installation from the Select File Extension list.
| 8. | In
the Application Precedence list box, move the application with the
highest precedence to the top of the list by using the Up or Down
button. The application at the top of the list is automatically
installed if a document with the selected filename extension is invoked
before the application has been installed.
| 9. | Click the Categories tab. In the Categories tab, shown in Figure 4, click Add.
| 10. | In
the Enter New Category dialog box, type the name of the application
category to be used for the domain in the Category box and click OK.
Note The
application categories that you establish are per domain, not per GPO.
You need to define them only once for the whole domain. |
| 11. | Click OK. |
|
