8. Software Deployment Best Practices
The following are the best practices for deploying software with Group Policy:
Assign or publish just once per GPO
A Windows Installer package should be assigned or published no more
than once in the same GPO. For example, if you assign Office to the
computers affected by a GPO, do not assign or publish it to users
affected by the GPO. Assign or publish close to the root in the Active Directory hierarchy
Because Group Policy settings apply by default to child Active
Directory containers, it is efficient to assign or publish by linking a
GPO to a parent OU or domain. Use security descriptors—access control
entries (ACEs)—on the GPO for finer control over who receives the
software. Make sure Windows Installer packages include modifications before they are published or assigned
Remember that modifications are applied to packages at the time of
assignment or publication. Therefore, you should make sure the
Modifications tab in the Properties dialog box for the package is set
up as you intend before you click OK. If you neglect to do this and
assign or publish a modified package before you have completely
configured it, you must either remove the software and republish or
reassign it or upgrade the software with a completely modified version. Specify application categories for your organization It’s easier for users to find an application in Add Or Remove Programs in Control Panel when you use categories. Take advantage of authoring tools
Developers familiar with the files, registry entries, and other
requirements for an application to work properly can author native
Windows Installer packages by using tools available from various
software vendors. Repackage existing software
You can use commercially available tools to create Windows Installer
packages for software that does not include natively authored .msi
files. These work by comparing a computer’s state before and after
installation. For best results, install on a computer free of other
application software. Set properties for the GPO to provide widely scoped control
Doing this saves administrative keystrokes when assigning or publishing
a large number of packages with similar properties in a single GPO—for
example, when all the software is published and it all comes from the
same SDP. Set properties for the Windows Installer package to provide fine control Use the package properties for assigning or publishing a single package. Know when to use Group Policy Software Installation and Systems Management Server (SMS)
Use Group Policy Software Installation for simple software installation
and deployment scenarios. Use SMS when scheduling, performing
inventory, reporting, checking status, and providing support for
installation across a wide area network (WAN) is required.
9. Practice: Deploying Software with Group Policy
In
this practice, you deploy (assign and publish) the Windows Server 2003
Administration Tools Pack with Group Policy. Installing the
Administration Tools Pack on a computer that is not a domain controller
allows you to administer Active Directory remotely. Windows Server 2003
ships with the Windows Installer package Adminpak.msi, which is used
for installing the Windows Server 2003 Administration Tools Pack. Use
the procedures provided earlier in this lesson to complete each
exercise.
Exercise 1: Setting Up an SDP
In this exercise, you set up an SDP for the deployment of the Windows Server 2003 Administration Tools Pack.
To set up an SDP:
1. | Log on to Server01 as Administrator.
| 2. | Create a shared folder named SDP in C:\ (where C is the name of your system drive). Name the share SDP.
| 3. | Set
the appropriate permissions on the folder. Administrators must be able
to change the files (Full Control), and Users must only view (Read) the
files from the SDP folders and share. Then, on the Security tab of the
SDP Properties dialog box, click Advanced and uncheck the box Allow
Inheritable Permissions From The Parent To Propagate. In the Security
dialog box that appears, click Copy. In the Permissions Entries list
select the permission that grants Users Special permissions and click
Remove. Click OK in the Advanced Security Settings For SDP dialog box,
and click OK in the SDP Properties dialog box.
| 4. | Search the Windows Server 2003 CD-ROM for Adminpak.msi. Copy the Adminpak.msi file to the shared SDP folder.
|
Exercise 2: Configuring a GPO for Software Deployment (Assign)
In this exercise, you create a GPO and a GPO console for the deployment of the Windows Server 2003 Administration Tools Pack.
1. | Log on to Server02 as Lorrin Smith-Bates.
| 2. | Click
Start, click All Programs, click Administrative Tools, and make a note
of what tools are available. There should be a limited number of tools
used to administer the server—you should not see Active Directory
administrative tools, such as Active Directory Users And Computers.
Note If
the Administrative Tools folder does not appear in the All Programs
menu, you will need to enables its display. Right-click the taskbar,
and select Properties to display the Taskbar And Start Menu Properties
dialog box. Click the Start Menu tab, click the Start Menu option, and
then click Customize. In the Customize Start Menu dialog box, click the
Advanced tab. In the Start Menu Items list under the System
Administrative Tools node, select either Display On The All Programs
Menu or Display On The All Programs Menu And The Start Menu. |
| 3. | Log off of Server02.
|
To configure a GPO for software deployment:
1. | On Server01, create a GPO linked to the West OU. Name the GPO West OU Applications.
| 2. | Create a console for the West OU Applications GPO. Name the console West OU Applications GPO.
| 3. | In
the West OU Applications GPO console, right-click the West OU
Applications GPO and choose Properties. Click the Security tab, and add
the Marketing group to the list of groups.
| 4. | Ensure
that the West OU Applications GPO applies to the Marketing group by
setting the group’s Apply Group Policy permission to Allow.
| 5. | Deselect
the Apply Group Policy permission (currently set to Allow) for the
Authenticated Users group. Do not set this permission to Deny.
| 6. | Close the Properties dialog box.
| 7. | In
the User Configuration node, Software Settings, right-click the
Software Installation node, click New, and then click Package.
| 8. | In the Open dialog box, in the File Name list, type the UNC path (\\Server01\SDP) to the SDP for the Windows Installer packages (.msi files), and press ENTER. Select the Adminpak.msi file, and then click Open.
| 9. | When you’re asked to select a deployment method, indicate that you want to assign the Adminpak.msi package to users.
| 10. | Close and save the West OU Applications GPO console.
|
Exercise 3: Testing Software Deployment
In this exercise, you test the deployment of the Windows Server 2003 Administration Tools Pack that you assigned to users.
To test software deployment:
1. | Log on to Server02 as Lorrin Smith-Bates in the contoso domain.
| 2. | Click
Start, click All Programs, and then click Administrative Tools. In
addition to several other new administration tools, you should now be
able to see Active Directory Users And Computers, Active Directory
Sites And Services, and Active Directory Domains And Trusts in the
Administrative Tools menu.
| 3. | Open
Active Directory Users And Computers. A Setup Wizard appears. By
default, when an application is assigned to the user, it is installed
the first time the user launches the application.
| 4. | Log off Server02.
|
Exercise 4: Configuring a GPO for Software Deployment (Publish)
In this exercise, you create a GPO and a GPO console for the deployment of the Windows Server 2003 Administration Tools Pack.
To configure a GPO for software deployment:
1. | Log on to Server02 as Pat Coleman.
| 2. | Click
Start, click All Programs, click Administrative Tools, and make a note
of what tools are available. There should be a limited number of tools
used to administer the server—you should not see Active Directory
administrative tools. They were assigned to the OU in which Lorrin’s
account exists, but not to the OU in which Pat’s account exists.
Note If
the Administrative Tools folder does not appear in the All Programs
menu, you will need to enable its display. Right-click the taskbar, and
select Properties to display the Taskbar And Start Menu Properties
dialog box. Click the Start Menu tab, click the Start Menu option, and
then click Customize. In the Customize Start Menu dialog box, click the
Advanced tab. In the Start Menu Items list under the System
Administrative Tools node, select either Display On The All Programs
Menu or Display On The All Programs Menu And The Start Menu. |
| 3. | Log off of Server02.
| 4. | On Server01, create a GPO linked to the East OU. Name the GPO East OU Applications.
| 5. | Create a console for the East OU Applications GPO. Name the console East OU Applications GPO.
| 6. | In
the East OU Applications GPO console, right-click the East OU
Applications GPO and choose Properties. Click the Security tab, and add
the Marketing group to the list of groups.
| 7. | Ensure
that the East OU Applications GPO applies to the Marketing group by
setting the group’s Apply Group Policy permission to Allow.
| 8. | Deselect
the Apply Group Policy permission (currently set to Allow) for the
Authenticated Users group. Do not set this permission to Deny.
| 9. | Close the properties dialog box.
| 10. | In
the User Configuration node, Software Settings, right-click the
Software Installation node, click New, and then click Package.
| 11. | In the Open dialog box, in the File Name list, type the UNC path (\\Server01\SDP) to the SDP for the Windows Installer packages (.msi files), and press ENTER. Select the Adminpak.msi file, and then click Open.
| 12. | When you’re asked to select a deployment method, indicate that you want to publish the Adminpak.msi package to users.
| 13. | Right-click the Software Installations extension node, and select Properties. Click the Categories tab, click Add and type Tools and Utilities in the Enter New Category dialog box. Click OK to close the Software Installation Properties dialog box.
| 14. | In
the details pane of the console, right-click the package you just
created and click Properties. Click the Categories tab. Select Tools
And Utilities, and click Select. Click OK.
| 15. | Close and save the East OU Applications GPO console.
|
Exercise 6: Testing Software Deployment
In this exercise, you test the deployment of the Windows Server 2003 Administration Tools Pack that you published to users.
To test software deployment:
1. | Log on to Server02 as Pat Coleman.
| 2. | Click Start, and then click Control Panel. In Control Panel, double-click the Add Or Remove Programs icon.
| 3. | In the Add Or Remove Programs window, click the Add New Programs button on the left.
| 4. | In the window provided by Add New Programs, shown in Figure 12,
note that the Windows Server 2003 Administration Tools Pack is
available for you to add to your network. Also note that from the
Category list, you can select Tools And Utilities.
| 5. | Log off Server02.
|
|
