11 managing and distributing software by using group policy chapter 5

11

MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY

Chapter 5

Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY 2

OVERVIEW

Understand how to distribute software by using Group Policy

Describe how to maintain software distributed with Group Policy

Troubleshoot software deployed by using Group Policy

Explain how to restrict the use of particular applications by using Group Policy


MANAGING SOFTWARE DEPLOYMENT BY USING GROUP POLICY

Distribution, installation, and management of software are onerous tasks in large environments.

Microsoft IntelliMirror provides a mechanism to distribute software quickly and easily to large groups of computers.

Applications can also be updated, maintained, or removed without the intervention of support personnel.


UNDERSTANDING SOFTWARE DEPLOYMENT WITH GROUP POLICY

The Software Installation And Maintenance feature of IntelliMirror works in conjunction with Group Policy.

Using Group Policy, software can be added and removed from computer systems as required.

Client computers must be running Microsoft Windows 2000 Professional or later.


SOFTWARE INSTALLATION EXTENSION

Assigned applications:

Are installed automatically on the computer that the user is using

Cannot be removed by the user after they are installed

Published applications:

Are available to the user for installation

Can be removed by the user if necessary


SOFTWARE DEPLOYMENT APPROACHES

ConditionCondition Publish (User Publish (User Only)Only)

Assign Assign (User) (User)

Assign Assign (Computer)(Computer)

After deployment, the software is available for installation:

The next time a user logs on.

The next time a user logs on.

The next time the computer starts.

Typically, the user installs the software from:

Add Or Remove Programs in Control Panel.

Start menu or desktop shortcut.

The software is already installed.

If the software is not installed and the user opens an associated file, does the software install?

Yes (if Auto-Install is enabled).

Yes. Does not apply.

Can the user remove the software by using Add Or Remove Programs?

Yes. Yes. No.

Supported installation files: .msi, .zap .msi .msi


SOFTWARE DEPLOYMENT PROCESSES

Software deployment process for published applications

Software deployment process for applications assigned to users

Software deployment process for automatically installed applications


SOFTWARE DEPLOYMENT THROUGH SYSTEMS MANAGEMENT SERVER

Provides desktop management and software distribution features that significantly automate the task of upgrading software on client computers

Allows you to control and synchronize software deployments over multiple sites

Supports pre–Windows 2000 operating systems for software distribution

Enables software licensing and metering


DISTRIBUTING SOFTWARE BY USING GROUP POLICY

1. Plan and prepare the software deployment.

2. Set up a software distribution point (SDP).

3. Create a Group Policy Object (GPO) and a GPO console for software deployment.

4. Specify the software deployment properties for the GPO.

5. Add Microsoft Windows Installer packages to the GPO, and select a package deployment method.

6. Set Windows Installer package properties.


PLANNING AND PREPARING A SOFTWARE DEPLOYMENT

Review your organization’s software requirements.

Determine how you want to deploy your applications.

Create a pilot to test how you want to assign or publish software.

Prepare your software using a format that allows you to manage it based on what your organization requires, and test all packages.

Gather the Windows Installer packages (.msi files) for the software. Perform any necessary modifications to the packages.


SETTING UP AN SDP

1. Create the folders for the software on the file server that will be the SDP, and make the folders network shares.

2. Copy the software, packages, modifications, necessary files, and components to a folder on the SDP.

3. Set the appropriate permissions on the folders hosting the SDP.

4. Use Group Policy to manage the software within the appropriate GPO.


SPECIFYING SOFTWARE DEPLOYMENT PROPERTIES FOR THE GPO


ADDING WINDOWS INSTALLER PACKAGES TO THE GPO AND SELECTING THE PACKAGE DEPLOYMENT METHOD

Specify the software applications you want to deploy by adding Windows Installer packages to the appropriate node of the GPO.

Modifications must be associated with the Windows Installer package at deployment time.

Transforms and patch files are applied to the Windows Installer package in the order you specify.


SETTING WINDOWS INSTALLER PACKAGE PROPERTIES


SOFTWARE DEPLOYMENT BEST PRACTICES

Assign or publish just once per GPO.

Assign or publish close to the root in the Active Directory hierarchy.

Make sure Windows Installer packages include modifications.

Specify application categories for your organization.

Take advantage of authoring tools.

Repackage existing software.

Know when to use Group Policy Software Installation and SMS.


MAINTAINING SOFTWARE DEPLOYED WITH GROUP POLICY

Software deployed with Group Policy can subsequently be

Redeployed

Upgraded

Removed


REDEPLOYING APPLICATIONS DEPLOYED WITH GROUP POLICY

Redeployment can be necessary if the following conditions exist:

Service packs or patches must be applied.

Features must be enabled or disabled.

Configurations must be updated.


UPGRADING APPLICATIONS DEPLOYED WITH GROUP POLICY

Two basic steps are required to upgrade a previously deployed application:

Create a Windows Installer package that contains the upgrade.

Configure the upgrade in the Upgrades tab in the Properties dialog box for the package.


REMOVING APPLICATIONS DEPLOYED WITH GROUP POLICY

1. Choose the software removal method you want to implement.

2. Allow the software removal to be processed.

3. Delete the GPO.


TROUBLESHOOTING SOFTWARE DEPLOYED BY GROUP POLICY

Troubleshooting can be complex.

It requires an understanding of the tools available and how to use them.

It can often require that you use more than one tool.


TOOLS TO TROUBLESHOOT GROUP POLICY

Resultant Set Of Policy Wizard

Gpresult

Gpupdate

Event Viewer

Log files


ADVANCED DIAGNOSTIC INFORMATION

This information is available only if verbose logging is enabled.

Information is provided in the Advanced Deployment Options dialog box.

Data provided includes Product Code, Deployment Count, and Script Name.


SOFTWARE DEPLOYMENT TROUBLESHOOTING SCENARIOS

Instructor-led discussion


SOFTWARE RESTRICTION POLICIES

Software restriction policies are security settings in a GPO provided to identify software and control its ability to run on a local computer, site, domain, or organizational unit (OU).

Software restriction policies protect your computer environment from unknown code by enabling you to identify and specify the applications allowed to run.


UNDERSTANDING SOFTWARE RESTRICTION POLICIES

Software restriction policies allow you to do the following:

Control the ability of programs to run on a system

Permit users to run only specific files on multiuser computers

Decide who can add trusted publishers to your computer

Control who is affected by software restriction policies

Prevent files from running on your local computer, OU, site, or domain


DEFAULT SECURITY LEVELS

Software restriction policies run on one of two default security levels:

Unrestricted—Allows software to run with the full rights of the user who is logged on to the computer

Disallowed—Does not allow the software to run, regardless of the access rights of the user who is logged on to the computer


HOW SOFTWARE RESTRICTION POLICIES WORK

In software restriction policies, software can be identified by

Hash

Certificate

Path

Internet zone


RULES

Software restriction policies identify and control the running of software by using rules.

There are four types of rules: Hash rule

Certificate rule

Path rule

Internet zone rule


RULE PRECEDENCE

Rules are applied in the following order of precedence, from highest to lowest:

1. Hash rule

2. Certificate rule

3. Path rule

4. Internet zone rule


IMPLEMENTING SOFTWARE RESTRICTION POLICIES

Set the default security level.

Create rules.

Designate file types.


BEST PRACTICES FOR SOFTWARE RESTRICTION POLICIES

Create a separate GPO for software restriction policies so that you can disable them in an emergency without affecting the rest of your security settings.

Test a software restriction policy before applying it to other computers.

If you must edit a software restriction policy, first disable it.

If you experience problems with applied policies, reboot in Safe mode.

Use software restriction policies in conjunction with access control settings.

Use caution when defining a default setting of Disallowed.


SOFTWARE RESTRICTION POLICY TROUBLESHOOTING

The complexity of software restriction policies can necessitate frequent troubleshooting.

In some cases, correct operation can appear to be a problem when it is not.

Environments that use a disallowed default policy are inherently more difficult to troubleshoot.


SUMMARY

The Software Installation extension in the Group Policy Object Editor console enables administrators to manage the deployment of software from a central location.

When you assign an application to a user, the application is advertised to the user on the Start menu the next time the user logs on to a workstation.

When you publish an application to users, the application does not appear installed on the users’ computers; however, users can install it.

Modifications enable you to customize Windows Installer packages. Modifications can be transform (.mst) or patch (.msp) files.


SUMMARY (CONTINUED)

You can redeploy an application previously deployed with Group Policy if there are small changes that must be made to the original configuration.

To upgrade software deployed with Group Policy, create a Windows Installer package that contains the upgrade and then configure the upgrade in the Upgrades tab in the Properties dialog box for the package.

Windows Server 2003 provides a range of tools to assist you in verifying and diagnosing problems related to deploying software with Group Policy.

Software restriction policies are security settings in a GPO provided to identify software and control its ability to run on a local computer, site, domain, or OU.

11 managing and distributing software by using group policy chapter 5

Documents

management of software

software deployments

software deployment

software distribution

group policydistribution

group policyplan

group policyexplain

group policychapter