This is a common requirement where IT administrators need to deploy important software via Group Policy. Why?
The benefits of doing such are numerous, but the main reasons to want to install software via group policy are:
Clients cannot interact with the software installation, so support of such is standardised;
Quick and easy method to deploy instead of manually going around installing software;
Software can be kept up-to-date and new patches pushed out centrally. The last thing IT Administrators want is software like Adobe PDF viewer installed on one machine and then another version on another a bit later and they are using different patched versions - as one will always be older than the other!
Auditing - easy to see how many PCs are affected by the policy to which you've chosen to install the software.
Large enterprises would used specific software to assist with large-scale rollouts of corporate software (such as Microsoft SMS). But, if you are in such an enterprise, you are unlikely to be reading this!
So, follow this guide to learn of the basics of Group Policy software deployment. It's really very easy as long as you follow a few simple rules. Of course, it's all documented in Guru Guy's guide!
Pre-requisites:
Create a Domain Security Group of the desired Computers which will be instructed to install your desired software e.g. "Office 2003 Computers". This is purely optional as a way of filtering PCs out from every machine in an organisational unit. If you intend to deploy software based on a user, create a Domain Security Group of the desired Users! e.g. "Office 2003 Users". If you don't assign a group to which computers will be selected, all computers in the OU you apply this group policy to will be told to install the software. Depending on the software and the licensing will depend on whether you want this!
Create an Organisational Unit in Active Directory for all of the machines (computers/laptops) to which desired users can install the software on. E.g. “Test OU” (You can use an existing OU but see the note below! Guru Guy recommends creating a test OU for small deployement, specifically where modification of user rights is concerned!)
Place a test PC or 2 into this OU so that only a couple of computers are affected (once complete and tested, move the rest into this or apply the policy to your existing OU - again, see note below)
Install the Group Policy Management Tool (GPMT) to allow advanced modification and creation of domain Group Policies.
A Network share in which to place the software installation folder in e.g. "\\SERVER\SOFTWARE" (set the share permissions tab to "Everyone" read access - we will secure further via NTFS Security permissions). This can be on any server in your domain, but it must have appropriate permissions for your domain computers to access. Since this lowers security, Guru Guy recommends making a dedicated share just for Group Policy Software Deployment.
At a minimum the following security permissions you need are:
"Authenticated Users" - this allows both machine installation and user-based installation; give them read access at minimum.
OR:
"Domain Computers" - this allows all computers which are members of your domain access, "Domain Users" will allow all domain users read access.
Never modify the default domain policy. Always create organisational units and never include domain admins and server computers in these units. For these instructions we have created an Organisation Unit (OU) called “test”.
Software Installation Pre-Requistes
Depending on the software you have chosen to install will depend on what you need to do to deploy it. Since there are many types of software, Guru Guy will explain what's needed to be done so you can always tailor the instructions to your specific software.
The first thing you need to do is ensure you extract the EXE file or ZIP files of the software. Group Policy DOES NOT work with anything but MSI files. So don't try to deploy it!
Once you've got the MSI file, you've got to make sure you have an "Administrative Install Point" out of it. This is basically re-packaging the software and decompressing it further. For Instance, Microsoft Office 2003 Professional has an installation folder with setup.exe and PRO11.msi. You still can't use PRO11.msi yet... it needs to be administratively installed
To create an administrative installation, the most common method is to invoke the MSIEXEC installer in Administrative mode. Do this running:
msiexec /a [SOFTWARE.MSI]
When you do this you usually encounter a wizard that looks identical to the normal software setup, except somewhere it should acknowledge you are creating an administrative install point. In the case of Microsoft Office 2003, enter information such as your company, name and product key. This means that users don't need to nor are able to enter registration information and can have this installed for them over Group Policy.
Choose a destination folder for your extraction of the administration point. Guru Guy recommends placing this striaght to the network location in which Group Policy will be told to obtain the software from e.g. \\SERVERNAME\Software\Office2003
Optionally patch the administrative install point. Both Office 2003 and Adobe PDF Maker, for example, allow you to run patches on their software install points which is much better since it means clients have the latest software installed without the need to patch and upgrade the moment it is installed. (Integrated/Slipstreamed Patches often also mean faster software). Patch methods vary but most are:
msiexec.exe /a [location of administrative installation]\setup.msi /p [location of patch]\.msp
Step-by-Step instructions
Assuming you’ve followed both sets of pre-requisites above, continue below for deployment:
Open up the Group Policy Management Tool
Navigate to your TEST OU that should be located our underneath the domain policy.
Create and Link a new Group Policy Object (GPO) to the Organisation Unit and call it “Software Install” or something which means something to you. This GPO will apply to all users/machines of the PCs/Laptops in that Organisation Unit. If you wish to be selective on which machines get the software installed via the GPO, use the Domain Security Group to filter the installation, discussed later.
Now decide if you are installing software based on User or Machine. Most software installs via machine policy and often only installs that way. However, if you have users occupying multiple machines, then a User-Based policy is best. In either case, don't deploy them through both methods! They are likely to break the install or cause problems!
In the New GPO, navigate to either:
Computer Configuration\Software\Software Installation or
User Configuration\Software\Software Installation
Right Click over Software Installation and Click: NEW-> PACKAGE
In the Browse Window, navigate to the location of the administrative Software MSI package. Be sure to specify valid UNC network paths! E.g. \\SERVER\Software\Office2003\Pro11.msi
Select this as “Assigned” deployment and Save & OK out of dialogue.
If you select "Published" as a deployment method, users will be able to optionally install the product on workstations using the Add/Remove Programs utility from the Control Panel.
You can select "Advanced" if you need to make advanced customisations (such as asking the installer to ignore the language of the PC, offering a Modifications (MST) file (such as office 2003) in the Modifications tab. Either way, once done, you should now see below:
Nearly there! Lastly in this GPO we need to allow the software install to be "escalated", which means it can install even if the user does not have administrative rights, which in most cases they don't nor should not! So, navigate to:
Computer Configuration (or User Configuration)\Administrative Templates\Windows Components\Windows Installer
Make the value "Always install with elevated priveledges" to "Enabled".
Close the GPO and view the “scope” tab of the policy in the Group Policy Management Pane. Under Security Filtering add either “Office 2003 Computers” (if you used computer configuration method) or “Office 2003 Users” if you are deploying via user configuration.
For ease, you could just leave it as "Authenticated Users", but the problem is every machine/user in that Organisation Unit will have the software installed!!!
Once computers/users have been assigned to the security groups, and a machine is moved from Active Directory “Computers” into your new Organisation Unit, log into a machine to test the policy.
Type in the Start->Run “gpupdate /force” on a test workstation. This will refresh the group policy.
Reboot the computer, login, and to see if at Windows Startup it says "Installing managed software.... Office 2003"
Congratulations, you've just deployed your software automatically, without the need to login as an administrator or any manual intervention! Wow Microsoft's Group Policy rocks!
*Please note, the steps above are slightly different for deployment of Office 2007. Office 2007 can only be deployed via Computer Policy and does not use the "Always install with elevated priveledges command". It also does not get patched in the same way and only installs on the first login to the computer, not at startup.
**If your software requires installation of a Printer Driver, read Guru Guy's guide to "Install Local Printer Drivers without admin rights via Group Policy" as you may need to implement this to enable functioning of your installed software if the user does not have administrator rights.
The benefits of doing such are numerous, but the main reasons to want to install software via group policy are:
Clients cannot interact with the software installation, so support of such is standardised;
Quick and easy method to deploy instead of manually going around installing software;
Software can be kept up-to-date and new patches pushed out centrally. The last thing IT Administrators want is software like Adobe PDF viewer installed on one machine and then another version on another a bit later and they are using different patched versions - as one will always be older than the other!
Auditing - easy to see how many PCs are affected by the policy to which you've chosen to install the software.
Large enterprises would used specific software to assist with large-scale rollouts of corporate software (such as Microsoft SMS). But, if you are in such an enterprise, you are unlikely to be reading this!
So, follow this guide to learn of the basics of Group Policy software deployment. It's really very easy as long as you follow a few simple rules. Of course, it's all documented in Guru Guy's guide!
Pre-requisites:
Create a Domain Security Group of the desired Computers which will be instructed to install your desired software e.g. "Office 2003 Computers". This is purely optional as a way of filtering PCs out from every machine in an organisational unit. If you intend to deploy software based on a user, create a Domain Security Group of the desired Users! e.g. "Office 2003 Users". If you don't assign a group to which computers will be selected, all computers in the OU you apply this group policy to will be told to install the software. Depending on the software and the licensing will depend on whether you want this!
Create an Organisational Unit in Active Directory for all of the machines (computers/laptops) to which desired users can install the software on. E.g. “Test OU” (You can use an existing OU but see the note below! Guru Guy recommends creating a test OU for small deployement, specifically where modification of user rights is concerned!)
Place a test PC or 2 into this OU so that only a couple of computers are affected (once complete and tested, move the rest into this or apply the policy to your existing OU - again, see note below)
Install the Group Policy Management Tool (GPMT) to allow advanced modification and creation of domain Group Policies.
A Network share in which to place the software installation folder in e.g. "\\SERVER\SOFTWARE" (set the share permissions tab to "Everyone" read access - we will secure further via NTFS Security permissions). This can be on any server in your domain, but it must have appropriate permissions for your domain computers to access. Since this lowers security, Guru Guy recommends making a dedicated share just for Group Policy Software Deployment.
At a minimum the following security permissions you need are:
"Authenticated Users" - this allows both machine installation and user-based installation; give them read access at minimum.
OR:
"Domain Computers" - this allows all computers which are members of your domain access, "Domain Users" will allow all domain users read access.
Never modify the default domain policy. Always create organisational units and never include domain admins and server computers in these units. For these instructions we have created an Organisation Unit (OU) called “test”.
Software Installation Pre-Requistes
Depending on the software you have chosen to install will depend on what you need to do to deploy it. Since there are many types of software, Guru Guy will explain what's needed to be done so you can always tailor the instructions to your specific software.
The first thing you need to do is ensure you extract the EXE file or ZIP files of the software. Group Policy DOES NOT work with anything but MSI files. So don't try to deploy it!
Once you've got the MSI file, you've got to make sure you have an "Administrative Install Point" out of it. This is basically re-packaging the software and decompressing it further. For Instance, Microsoft Office 2003 Professional has an installation folder with setup.exe and PRO11.msi. You still can't use PRO11.msi yet... it needs to be administratively installed
To create an administrative installation, the most common method is to invoke the MSIEXEC installer in Administrative mode. Do this running:
msiexec /a [SOFTWARE.MSI]
When you do this you usually encounter a wizard that looks identical to the normal software setup, except somewhere it should acknowledge you are creating an administrative install point. In the case of Microsoft Office 2003, enter information such as your company, name and product key. This means that users don't need to nor are able to enter registration information and can have this installed for them over Group Policy.
Choose a destination folder for your extraction of the administration point. Guru Guy recommends placing this striaght to the network location in which Group Policy will be told to obtain the software from e.g. \\SERVERNAME\Software\Office2003
Optionally patch the administrative install point. Both Office 2003 and Adobe PDF Maker, for example, allow you to run patches on their software install points which is much better since it means clients have the latest software installed without the need to patch and upgrade the moment it is installed. (Integrated/Slipstreamed Patches often also mean faster software). Patch methods vary but most are:
msiexec.exe /a [location of administrative installation]\setup.msi /p [location of patch]\
Step-by-Step instructions
Assuming you’ve followed both sets of pre-requisites above, continue below for deployment:
Open up the Group Policy Management Tool
Navigate to your TEST OU that should be located our underneath the domain policy.
Create and Link a new Group Policy Object (GPO) to the Organisation Unit and call it “Software Install” or something which means something to you. This GPO will apply to all users/machines of the PCs/Laptops in that Organisation Unit. If you wish to be selective on which machines get the software installed via the GPO, use the Domain Security Group to filter the installation, discussed later.
Now decide if you are installing software based on User or Machine. Most software installs via machine policy and often only installs that way. However, if you have users occupying multiple machines, then a User-Based policy is best. In either case, don't deploy them through both methods! They are likely to break the install or cause problems!
In the New GPO, navigate to either:
Computer Configuration\Software\Software Installation or
User Configuration\Software\Software Installation
Right Click over Software Installation and Click: NEW-> PACKAGE
In the Browse Window, navigate to the location of the administrative Software MSI package. Be sure to specify valid UNC network paths! E.g. \\SERVER\Software\Office2003\Pro11.msi
Select this as “Assigned” deployment and Save & OK out of dialogue.
If you select "Published" as a deployment method, users will be able to optionally install the product on workstations using the Add/Remove Programs utility from the Control Panel.
You can select "Advanced" if you need to make advanced customisations (such as asking the installer to ignore the language of the PC, offering a Modifications (MST) file (such as office 2003) in the Modifications tab. Either way, once done, you should now see below:
Nearly there! Lastly in this GPO we need to allow the software install to be "escalated", which means it can install even if the user does not have administrative rights, which in most cases they don't nor should not! So, navigate to:
Computer Configuration (or User Configuration)\Administrative Templates\Windows Components\Windows Installer
Make the value "Always install with elevated priveledges" to "Enabled".
Close the GPO and view the “scope” tab of the policy in the Group Policy Management Pane. Under Security Filtering add either “Office 2003 Computers” (if you used computer configuration method) or “Office 2003 Users” if you are deploying via user configuration.
For ease, you could just leave it as "Authenticated Users", but the problem is every machine/user in that Organisation Unit will have the software installed!!!
Once computers/users have been assigned to the security groups, and a machine is moved from Active Directory “Computers” into your new Organisation Unit, log into a machine to test the policy.
Type in the Start->Run “gpupdate /force” on a test workstation. This will refresh the group policy.
Reboot the computer, login, and to see if at Windows Startup it says "Installing managed software.... Office 2003"
Congratulations, you've just deployed your software automatically, without the need to login as an administrator or any manual intervention! Wow Microsoft's Group Policy rocks!
*Please note, the steps above are slightly different for deployment of Office 2007. Office 2007 can only be deployed via Computer Policy and does not use the "Always install with elevated priveledges command". It also does not get patched in the same way and only installs on the first login to the computer, not at startup.
**If your software requires installation of a Printer Driver, read Guru Guy's guide to "Install Local Printer Drivers without admin rights via Group Policy" as you may need to implement this to enable functioning of your installed software if the user does not have administrator rights.
Post a Comment