Deploying the Client for Microsoft Exchange Server 2010 : Pushing Outlook Client Software with Group Policies

Using Windows Server 2008 or Windows Server 2003 Group Policy management tools, administrators can easily and inexpensively deploy the Outlook client to desktops throughout their organization by minimizing the tasks that require manual intervention.

Group policies can provide extremely powerful administration and management options when deploying the Outlook client. Use the information provided in this section to set up and deploy the Outlook.MSI package.

Deploying Outlook with Group Policy Overview

Using Group Policy to deploy the Outlook client is one of the most effective and flexible options administrators can leverage.

However, before creating deployment packages, administrators should understand the basic functionality of Group Policy in Windows Server 2003. Review the information and overview provided in the next sections before planning and setting up Windows Server 2003 Group Policy to support the Outlook client deployment.

Exchange Client Policy Options

When utilizing Group Policy functionality to deploy Outlook clients, Microsoft provides predefined administration templates (ADM) for managing Outlook on the domain.

This template enables administrators to centrally manage and configure many of the security functions and preferences normally required to be configured at each individual Outlook client. Using the security template, administrators can fully manage and configure the following areas defined by domain clients:

• Outlook preferences— The preferences options available with the security template can be enabled in the same manner as using the Options tab available on the Tools menu of the Outlook desktop client. When defining preferences, administrators can control the standard look and feel of each component available with Outlook.

  Options include areas for enforcing items, such as spell check and email format, calendaring views, contacts options, and more.

• Exchange settings— Configuration items, such as Outlook user profile configurations and auto archiving, can now be centrally configured.

• Intranet and SharePoint Portal Server settings— In addition to the Outlook client settings, using the templates enables administrators to configure access to internal business information and SharePoint Portal Server resources through Outlook client folders.

Though the template enables you to configure many important options and preferences with the Outlook Exchange Server client, not all areas are available using the template.

Adding the Outlook Administrative Template

Because the additional administrative templates are not configured by default when Windows Server 2008 or Windows Server 2003 is installed, administrators must download or install the administrative Outlook template manually. For Outlook 2003, this file is called Outlk11.adm and is available in the ORK. For Office 2007, the Outlook template is named outlk12.adm and is available at the Microsoft download site. During installation, the .adm files are placed on the local drive of the systems on which they are installed.

To begin setting up the Outlook security template Outlk12.adm, start by installing the Group Policy Management Console (GPMC) on the domain controller on which the policy will be administered. GPMC is installed natively in Windows Server 2008 but needs to be downloaded in Windows Server 2003.

Next download and install the Microsoft Administrative Template files on a system on which the template can be accessed from a domain controller for import into the Domain Group Policy.

Note

The Office 2007 Administrative Templates, the GPMC for Windows 2003, and the ORK can be downloaded from Microsoft at www.microsoft.com/downloads.

In the Search field, simply type Office 2007 Administrative Templates, Office Resource Kit or GPMC to find the latest revisions. The Administrative Templates are typically updated for each Office Service Pack release.

A file named AdminTemplates.exe will be downloaded and will expand into directories for the Administrative Template files (ADM, ADMX, and ADML) and for the updated Office Customization Tool (OCT). The Administrative Template files will be in the \ADM directory.

To import the Outlook security template Outlk12.adm into a new Group Policy Object using the GPMC, use the following steps:

Note

When importing the Outlk12.adm administration template, it is a best practice to import the template to a new Group Policy Object. This enables administrators to easily control the new group policy. Review the event logs on additional domain controllers or use the Replmon tool available with Windows 2003 support tools to ensure the replication of the domain policy to all domain controllers occurs correctly.

1.	From a Windows Server 2008 domain controller in the domain where the policy will be applied, open the Server Manager console.
2.	Expand the Features node to access the Group Policy Management Console. Expand the Forest node and then the Domains node.
3.	Select the location in which the new Group Policy Object will be created in the OU tree, in this case the WS organizational unit in the domain companyabc.com.
4.	Right-click the selected OU and select Create a GPO in This Domain, and Link It Here. Name the new GPO Outlook Group Policy Object and click OK to create it.
5.	Select the new Outlook Group Policy Object in which Outlk12.adm will be imported to, as shown in Figure 1. Figure 1. Group Policy Management Console.
6.	Right-click the Outlook Group Policy Object, select Edit; this opens the Group Policy Object Editor window.
7.	In the Group Policy Object Editor, right-click Administrative Templates under the User Configuration, Polices option and choose Add/Remove Templates, as shown in Figure 2. Figure 2. Group Policy Object Editor.
8.	From the Add/Remove Templates dialog box, click the Add button.
9.	Navigate to the location in which Outlk12.adm was placed, as noted in step 2. Select the template to import Outlk12.ADM and click the Open button.
10.	Ensure that the outlk12 template has been added to the Add/Remove Templates dialog box, and click Close to continue.

You should now see the Microsoft Office Outlook 2007 template under the Administrative Templates, Classic Administrative Templates (ADM) folder in the Group Policy Object Editor.

Administrative Options

Delegating the proper rights for administrators to manage and manipulate Group Policy when deploying Outlook clients is important. With the Delegation Wizard available in the Windows Group Policy snap-in, administrative rights can be assigned to Exchange Server administrators to manage and control the deployment of Outlook to the desktop without interfering with the day-to-day operations of the Windows systems. By using the Delegation Wizard to assign rights, administrators can grant permissions to individual accounts, groups, and Exchange server administrators.

Deployment Options

With Group Policy, the Outlook client can be deployed to the desktop using any of the following deployment methods:

• Assigned to Computers— This method of installation creates an Outlook installation package that is applied to workstations when a user logs on to the desktop. Using this option, all users have access to the Exchange Server client software after it’s installed.

• Assigned to Users— When the installation package is assigned to users, application shortcuts are placed on the desktop of the user’s profiles and in the Start menu of the individual user’s profile. When these shortcuts are selected, the application installation is launched and completed.

• Publishing the Installation— When Outlook client software packages are published, the installation package is displayed in the Add/Remove Programs Group in the local desktop system Control Panel. Users can then initiate the installation by selecting the Install option.

With each method, Outlook administrators use the MSI installation file format to push the Outlook client’s software packages from a central location or from administrative installation points to the workstations or users on the network.

Pushing Outlook Client

The steps in this scenario enable administrators to push the Outlook client package to workstations on the domain.

To create Outlook client software Group Policy Objects (GPOs), complete the following steps:

1.	From a Windows Server 2008 domain controller in the domain in which the policy will be applied, open the Server Manager console.
2.	Expand the Features node to access the Group Policy Management Console. Expand the Forest node and then the Domains node.
3.	Select the location in which the new Group Policy Object will be created in the OU tree, in this case the WS organizational unit in companyabc.com.
4.	Right-click the selected OU, select Create a GPO in This Domain, and Link It Here. Name the new GPO Outlook Client Install Group Policy Object and click OK to create it.
5.	Right-click the Outlook Client Install Group Policy Object, select Edit; this opens the Group Policy Object Editor window.
6.	Select Computer Configuration, Policies, Software Settings, and then Software Installation.
7.	Right-click Software Installation and select New, Package.
8.	Navigate the Open dialog box to the network share where the Outlook.MSI was placed, and select the MSI package being applied. Select Open to continue. Note If prompted that the Group Policy Object Editor cannot verify the network location, ensure that the share containing the installation files has the permissions configured to allow user access. Select Yes to continue when confirmed.
9.	At the Deploy Software dialog box, select Advanced and click OK to continue. Windows Server 2008 will verify the installation package; wait for the verification to complete before continuing to the next step. The Package Properties window opens.
10.	On the Package Properties page, select the Deployment tab. Review the configuration, click Assign, and ensure that the Install this Package at Logon option is selected. Click OK when you are finished.

When the new package is ready to deploy, test the package install by moving a workstation into the WS organizational unit, logging on to the workstation, and verifying that the package has installed correctly using the steps listed in the next section. If problems exist, redeploy the package by selecting the software update; click Action, All Tasks, Redeploy Application to force the deployment.

The Group Policy Objects previously created can be expanded to the rest of the environment by linking the GPOs to other OUs. Alternatively, the GPO ACLs can be set to limit the application of the group policy, and the GPO can be linked at the domain level.

Verifying the Outlook Client Deployment

When using Group Policy, administrators cannot determine whether a software package was pushed successfully the way management software such as Microsoft System Center Configuration Manager (SCCM) can. Evidence of the success of a client installation using Group Policy can only be determined by reviewing the client desktop. Using the following two areas on the client desktop, administrators can determine whether a software installation was successful:

• View the client application logs for MSI Installer events.

• On the local machine, view Add/Remove Programs to see whether the Outlook update package is listed.

Updates and Patch Management with Group Policies

One other advantage to using Group Policy is the centralized deployment options available to distribute the Outlook client updates and patches to domain workstations. Using any one of the following options, including a combination of each, Exchange Server administrators can use Group Policy to deploy updates using Microsoft MSI installation packages or Windows Updates security templates to push updates to the Microsoft Outlook client. Using GPOs, installation of software updates can be deployed from the centralized administrative installation point to a predefined set of workstations or, in the case of a WAN, from any remote installation point or Windows Update site configured in the GPO settings.

Deployment Options When Updating Outlook Clients

Using Group Policy, the Outlook client can be upgraded and patched using one of the following deployment methods:

• Assigned to Computers— This method of installation uses the Outlook Installation package on the workstation and is available when the workstation is restarted. Using this option, all users have access to the Exchange Server client software after it is installed.

• Assigned to Users— When the installation package is assigned to users, application shortcuts are placed on the desktop of the user’s profile and on the Start menu. When these shortcuts are selected, the application installation will be completed.

• Publishing the Installation— This option requires additional configuration at the desktop level to allow users the ability to install published packages on client systems. When a software package is published, the installation package is displayed in the Add/Remove Programs group in the local desktop system Control Panel. Users can then initiate the installation by selecting the update.

• Using Windows Update Services— This might be the most common method of deploying software updates to client desktop systems on any enterprise. Using Windows Server Update Services technology and Group Policy, security updates, patches, and critical updates can be deployed for Microsoft Office platforms to the client workstation.

Each method enables Exchange Server administrators to deliver update packages to the Outlook client using a push or pull method. These updates can be configured for deployment from a central location or from an administrative installation point located on the network to allow for ease of download to the workstation anywhere in the enterprise.

Caution

When deploying updates with GPOs, do not assign the option to install updates to users and computers at the same time. Assigning both options can create conflicts as to how updates are installed and possibly corrupt the installation of the Outlook client.

Group Policy Best Practices

As with all aspects of Group Policy, the choices and configuration options available when deploying clients or updates are numerous. Regardless of which type of package is being pushed, some basic best practices apply and can help make the process easier and less troublesome:

• When configuring clients to use update methods such as Windows Server Update Services, configure clients to use installation points that will allow clients to update systems from the local LAN rather than over WAN links.

• Software packages pushed with GPOs must be in the format of an MSI package. Any other format type than an MSI cannot be pushed using Group Policy. Using additional tools such as Marovision’s Admin Studio can help administrators convert other update formats such as .exe files to customized MSI installation packages as well as custom configuration of predefined installation choices.

• Don’t modify the default Group Policy Objects, the Default Domain Policy, and the Default Domain Controllers Policy. Instead, always create new Group Policy Objects. This helps organize the setting and makes it clear which GPOs contain which settings.

• When configuring software pushes using GPOs, configure the GPO at the highest levels possible in the domain tree. If the push is going out to more than one group or OU, the software update should be configured to be pushed at the domain level. If the software update is being pushed to only a few groups or one OU, or if multiple update packages are being pushed, configure the push at the group or OU level.

• Configure software pushes to the Computer Configuration settings rather than the User Configuration settings. This way, if users log on to multiple computer systems, updates are not applied more than once to the same system.

• When pushing updates to multiple locations, use technologies such as administrative distribution points and distributed file system (DFS). This allows software updates to be installed from packages and sources close to the client being updated.

Pushing Client Updates

With the options available and a good understanding of the best practices for deploying software using GPOs, the next step is to configure a GPO to push an update directly to the Outlook client. The steps in this scenario enable administrators to push a small update package to the Outlook 2007 client workstations on the domain.

Begin by downloading an update to use for this exercise ensuring an MSI format. Some updates, such as Office 2007 Service Pack 2, download as EXE files and need to be extracted with the /extract:path option to expose the MSI packages. Also, create a share on the network folder where the update will be placed and deployed. To create an Outlook client software update GPO, follow these steps:

1.	From a Windows Server 2008 domain controller in the domain in which the policy will be applied, open the Server Manager console.
2.	Expand the Features node to access the Group Policy Management Console. Expand the Forest node and then the Domains node.
3.	Select the location in which the new Group Policy Object will be created in the OU tree, in this case the WS organizational unit in companyabc.com.
4.	Right-click the selected OU and select Create a GPO in This Domain, and Link It Here. Name the new GPO Outlook Client Update Group Policy Object and click OK to create it.
5.	Right-click the Outlook Client Update Group Policy Object and select Edit; this opens the Group Policy Object Editor window.
6.	Select Computer Configuration, Policies, Software Settings, and then Software Installation.
7.	Right-click Software Settings and select New, Package.
8.	Navigate the Open dialog box to the network share where the Office 2007 update was placed, and select the MSI package being applied. Select Open to continue. Note If prompted that the Group Policy Object Editor cannot verify the network location, ensure that the share containing the installation files has the permissions configured to enable user access. Select Yes to continue when confirmed.
9.	At the Deploy Software dialog box, select Advanced and click OK to continue. Windows Server 2008 verifies the installation package; wait for the verification to complete before continuing to the next step. The Package Properties window will open.
10.	On the Package Properties page, select the Deployment tab. Review the configuration, click Assign, and ensure that the Install this Package at Logon option is selected. Click OK when you finish.

When the new package is ready to deploy, test the package install by moving a workstation into the WS organizational unit, logging on to the workstation and verifying that the package has installed correctly. If problems exist, redeploy the package by selecting the software update; click Action, All Tasks, Redeploy Application to force the deployment.

You can expand the Group Policy Objects previously created to the rest of the environment by linking the GPOs to other OUs. Alternatively, the GPO ACLs can be set to limit the application of the group policy, and the GPO can be linked at the domain level.