| |
Automatic software deployment using GPOs |
|
| |
By Erik
Rozman
|
|
| |
Windows 2000 and Active Directory (actually the
feature called Group Policy Object) provide us with an easy way to install
software automatically. The whole process can be divided into three stages:
1. Preparation.
2. Deployment.
3. Removal/Upgrade.
Preparation
Perquisites
Before you can start throwing software at
your users and computers until they beg you to stop you have to prepare the
environment and the software for such a bombardment.
First of all you
have to check the perquisites for automatic software deployment:
- Active Directory
- Windows 2000 clients
- Disk space on the client
|
|
| |
Distribution Point
The next step
is the positioning of your software, your users will be copying the
software files to their computers so you have to create a share (Read
permission for the users that will be installing the software) on the
server from which you will be providing the software - this is the distribution
point.
It is recommend creating a folder that will include all the
software packages divided into folders for each package. The share should be a
hidden one.
MSI MST ZAP
Windows 2000 employs a
service called Windows Installer on its clients this is the service that
actually does the work here but this service needs instructions.
The
instructions are provided to the service by an MSI file, most new
applications come with an MSI file that allows the smooth automatic
installation and manual installation of software yet the question arises how
can we build or actually create an MSI file based on an existing
application-one that we already own.
|
|
| |
Creating MSI and ZAP files
The answer comes in the form of Veritas Wininstall LE provided on
the Windows 2000 server CD(\vlaueadd\3rdparty\mgmt\winstle). This application
has two components one for creating MSI packages based on Template computers
and the second that you may use to edit and view MSI files.
Another way
to deploy a non MSI application is to create a ZAP file that is actually very
similar to an INI file-a script that tells you what to do. The downside of ZAP
files is that it can only be published and not assigned.
MST(Transform
files) provide the windows installer service with specific information on how
to deploy the software-if I need a specific piece of the software deployed I
will use and MST file to instruct the service to do that.
Deployement
Group Policy Object
The deployment stage begins when you create a Group Policy
Object for the purpose of the software deployment or you edit an already
created Group Policy Object.
Editing the Group Policy Object
Each Group Policy Object is divided into two distinct
parts-Computer and User configuration-each part can be used to deploy software
differently. When you open the Group Policy Object editor you choose which part
to edit and use. |
|
| |
 |
|
| |
Setting Defaults
Before you begin creating the specific deployment configurations it is
important to note that you can create defaults for each package added to this
Group Policy Object by right clicking on either Software Installation boxes and
choosing Proprieties. I clicked on the box under User Configuration :
The General Tab
|
|
| |
 |
|
| |
Publishing Software
When you choose the publish software option you tell the computer to
publish a piece of software to the network users and allow them to install it
by using the Add/Remove documents applet. After you link the Group Policy
Object to a container of your choice your user will be able to choose the
application and install it. The only difference between the computer
configuration and user configuration concerns Publishing-you can not publish
software for a computer-it can not choose to install a specific software
package.
Assigning Software
When you assign a software
package to a user the software itself is "installed"(the software isn't
installed fully-shortcuts and registry entries are installed-when the user
double clicks the applications the files are copied to the computer) on the
computer as soon as the user logs on(the user has no saying). Assigning a
software package to the user allows the user to move from computer to computer
and have his software follow him around.
You can assign software to a
Computer-when the computer account logs on the Software Deployment portion of
the Group Policy Object kicks in and installs the icons and registry entries
for the application. When you activate the application it is fully installed on
the computer.
Note that assigning applications to a Domain Controller
will not work.
Advanced publishing or assigning
If you
need to add MST files to the package then you should use this option if you
won't you will not be able to add Transform files(simple as that).
The File Extensions Tab |
|
| |
 |
|
| |
When you publish software on to the
Active Directory the software registers the extensions it is responsible for.
When an active directory user opens a file with a locally unknown extension the
Active Directory searches its own database and if it finds a match it installs
the application that matched on the users computer.
On this tab you can
actually configure the application precedence, meaning that if you have more
then one application registered for the same extension the precedence will
decide which application to use in this
The
Categories tab |
|
| |
 |
|
| |
When publishing software you can categorize it
and the user will be able to view the applications available on the Active
Directory by category and then choose the application that he needs.
The categories you create here will be available both on computer
configuration and user configuration software deployment for all Group Policy
Objects created even if the original Group Policy Object on which you created
the categories is erased.
Deploying
If you have
set up everything correctly you can configure a specific package for
deployment: Right click the box for the user and choose New-Package. Choose the
MSI file you want to use.
Depending on you defaults you are able either
to assign, publish(only for users) or use the advanced option. At this stage
you can choose the specific package and edit it's own proprieties, the package
proprieties extends your control options over the whole process: |
|
| |
 |
|
| |
Upgrades
Tab
 |
|
| |
Categories
Tab
Modifications Tab
The modification tab
allows you to add MST files to the package.
Security Tab
Last but not least the security tab allows you a finer degree of
control over who has permissions for each and every application package
deployed by the same Group Policy Object.
This control allows you to
create one Group Policy Object for you software deployment needs and by using
the security tab you can control access to the packages.
Results
This is the result on the client computer:
The result for
assigning would be different-the software would be installed on the
computer(shortcuts and file associations) and the user doesn't have to concern
himself at all with choosing his applications.
Software Removal
When you are finished with the
package and you need to remove it you are given two choices:
 |
|
| |
Redeployment
Re-deploying installs the software again even if the software was
already installed through the same Group Policy Object earlier. You may need to
re-deploy a software package if the first deployment went wrong in any of its
stage. |
|
| |
|
|
| |
By Erik
RozmanMCT, MCSE, MCSA, MCP+I, CCNA, CNA
©2001-2002 MCSE Magazine - All Rights Reserved Terms of Use |
|
Consulting Articles 
