11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY2 OVERVIEW Understand how to distribute software by using Group Policy Describe how to maintain software distributed with Group Policy Troubleshoot software deployed by using Group Policy Explain how to restrict the use of particular applications by using Group Policy Understand how to distribute software by using Group Policy Describe how to maintain software distributed with Group Policy Troubleshoot software deployed by using Group Policy Explain how to restrict the use of particular applications by using Group Policy
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY3 MANAGING SOFTWARE DEPLOYMENT BY USING GROUP POLICY Distribution, installation, and management of software are onerous tasks in large environments. Microsoft IntelliMirror provides a mechanism to distribute software quickly and easily to large groups of computers. Applications can also be updated, maintained, or removed without the intervention of support personnel. Distribution, installation, and management of software are onerous tasks in large environments. Microsoft IntelliMirror provides a mechanism to distribute software quickly and easily to large groups of computers. Applications can also be updated, maintained, or removed without the intervention of support personnel.
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY4 UNDERSTANDING SOFTWARE DEPLOYMENT WITH GROUP POLICY The Software Installation And Maintenance feature of IntelliMirror works in conjunction with Group Policy. Using Group Policy, software can be added and removed from computer systems as required. Client computers must be running Microsoft Windows 2000 Professional or later. The Software Installation And Maintenance feature of IntelliMirror works in conjunction with Group Policy. Using Group Policy, software can be added and removed from computer systems as required. Client computers must be running Microsoft Windows 2000 Professional or later.
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY5 SOFTWARE INSTALLATION EXTENSION Assigned applications: Are installed automatically on the computer that the user is using Cannot be removed by the user after they are installed Published applications: Are available to the user for installation Can be removed by the user if necessary Assigned applications: Are installed automatically on the computer that the user is using Cannot be removed by the user after they are installed Published applications: Are available to the user for installation Can be removed by the user if necessary
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY6 SOFTWARE DEPLOYMENT APPROACHES Condition Publish (User Only) Assign (User) Assign (Computer) After deployment, the software is available for installation: The next time a user logs on. The next time the computer starts. Typically, the user installs the software from: Add Or Remove Programs in Control Panel. Start menu or desktop shortcut. The software is already installed. If the software is not installed and the user opens an associated file, does the software install? Yes (if Auto- Install is enabled). Yes.Does not apply. Can the user remove the software by using Add Or Remove Programs? Yes. No. Supported installation files:.msi,.zap.msi
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY7 SOFTWARE DEPLOYMENT PROCESSES Software deployment process for published applications Software deployment process for applications assigned to users Software deployment process for automatically installed applications Software deployment process for published applications Software deployment process for applications assigned to users Software deployment process for automatically installed applications
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY8 SOFTWARE DEPLOYMENT THROUGH SYSTEMS MANAGEMENT SERVER Provides desktop management and software distribution features that significantly automate the task of upgrading software on client computers Allows you to control and synchronize software deployments over multiple sites Supports pre–Windows 2000 operating systems for software distribution Enables software licensing and metering Provides desktop management and software distribution features that significantly automate the task of upgrading software on client computers Allows you to control and synchronize software deployments over multiple sites Supports pre–Windows 2000 operating systems for software distribution Enables software licensing and metering
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY9 DISTRIBUTING SOFTWARE BY USING GROUP POLICY 1. Plan and prepare the software deployment. 2. Set up a software distribution point (SDP). 3. Create a Group Policy Object (GPO) and a GPO console for software deployment. 4. Specify the software deployment properties for the GPO. 5. Add Microsoft Windows Installer packages to the GPO, and select a package deployment method. 6. Set Windows Installer package properties. 1. Plan and prepare the software deployment. 2. Set up a software distribution point (SDP). 3. Create a Group Policy Object (GPO) and a GPO console for software deployment. 4. Specify the software deployment properties for the GPO. 5. Add Microsoft Windows Installer packages to the GPO, and select a package deployment method. 6. Set Windows Installer package properties.
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY10 PLANNING AND PREPARING A SOFTWARE DEPLOYMENT Review your organization’s software requirements. Determine how you want to deploy your applications. Create a pilot to test how you want to assign or publish software. Prepare your software using a format that allows you to manage it based on what your organization requires, and test all packages. Gather the Windows Installer packages (.msi files) for the software. Perform any necessary modifications to the packages. Review your organization’s software requirements. Determine how you want to deploy your applications. Create a pilot to test how you want to assign or publish software. Prepare your software using a format that allows you to manage it based on what your organization requires, and test all packages. Gather the Windows Installer packages (.msi files) for the software. Perform any necessary modifications to the packages.
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY11 SETTING UP AN SDP 1. Create the folders for the software on the file server that will be the SDP, and make the folders network shares. 2. Copy the software, packages, modifications, necessary files, and components to a folder on the SDP. 3. Set the appropriate permissions on the folders hosting the SDP. 4. Use Group Policy to manage the software within the appropriate GPO. 1. Create the folders for the software on the file server that will be the SDP, and make the folders network shares. 2. Copy the software, packages, modifications, necessary files, and components to a folder on the SDP. 3. Set the appropriate permissions on the folders hosting the SDP. 4. Use Group Policy to manage the software within the appropriate GPO.
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY12 SPECIFYING SOFTWARE DEPLOYMENT PROPERTIES FOR THE GPO
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY13 ADDING WINDOWS INSTALLER PACKAGES TO THE GPO AND SELECTING THE PACKAGE DEPLOYMENT METHOD Specify the software applications you want to deploy by adding Windows Installer packages to the appropriate node of the GPO. Modifications must be associated with the Windows Installer package at deployment time. Transforms and patch files are applied to the Windows Installer package in the order you specify. Specify the software applications you want to deploy by adding Windows Installer packages to the appropriate node of the GPO. Modifications must be associated with the Windows Installer package at deployment time. Transforms and patch files are applied to the Windows Installer package in the order you specify.
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY14 SETTING WINDOWS INSTALLER PACKAGE PROPERTIES
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY15 SOFTWARE DEPLOYMENT BEST PRACTICES Assign or publish just once per GPO. Assign or publish close to the root in the Active Directory hierarchy. Make sure Windows Installer packages include modifications. Specify application categories for your organization. Take advantage of authoring tools. Repackage existing software. Know when to use Group Policy Software Installation and SMS. Assign or publish just once per GPO. Assign or publish close to the root in the Active Directory hierarchy. Make sure Windows Installer packages include modifications. Specify application categories for your organization. Take advantage of authoring tools. Repackage existing software. Know when to use Group Policy Software Installation and SMS.
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY16 MAINTAINING SOFTWARE DEPLOYED WITH GROUP POLICY Software deployed with Group Policy can subsequently be Redeployed Upgraded Removed Software deployed with Group Policy can subsequently be Redeployed Upgraded Removed
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY17 REDEPLOYING APPLICATIONS DEPLOYED WITH GROUP POLICY Redeployment can be necessary if the following conditions exist: Service packs or patches must be applied. Features must be enabled or disabled. Configurations must be updated. Redeployment can be necessary if the following conditions exist: Service packs or patches must be applied. Features must be enabled or disabled. Configurations must be updated.
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY18 UPGRADING APPLICATIONS DEPLOYED WITH GROUP POLICY Two basic steps are required to upgrade a previously deployed application: Create a Windows Installer package that contains the upgrade. Configure the upgrade in the Upgrades tab in the Properties dialog box for the package. Two basic steps are required to upgrade a previously deployed application: Create a Windows Installer package that contains the upgrade. Configure the upgrade in the Upgrades tab in the Properties dialog box for the package.
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY19 REMOVING APPLICATIONS DEPLOYED WITH GROUP POLICY 1. Choose the software removal method you want to implement. 2. Allow the software removal to be processed. 3. Delete the GPO. 1. Choose the software removal method you want to implement. 2. Allow the software removal to be processed. 3. Delete the GPO.
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY20 TROUBLESHOOTING SOFTWARE DEPLOYED BY GROUP POLICY Troubleshooting can be complex. It requires an understanding of the tools available and how to use them. It can often require that you use more than one tool. Troubleshooting can be complex. It requires an understanding of the tools available and how to use them. It can often require that you use more than one tool.
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY21 TOOLS TO TROUBLESHOOT GROUP POLICY Resultant Set Of Policy Wizard Gpresult Gpupdate Event Viewer Log files Resultant Set Of Policy Wizard Gpresult Gpupdate Event Viewer Log files
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY22 ADVANCED DIAGNOSTIC INFORMATION This information is available only if verbose logging is enabled. Information is provided in the Advanced Deployment Options dialog box. Data provided includes Product Code, Deployment Count, and Script Name. This information is available only if verbose logging is enabled. Information is provided in the Advanced Deployment Options dialog box. Data provided includes Product Code, Deployment Count, and Script Name.
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY23 SOFTWARE DEPLOYMENT TROUBLESHOOTING SCENARIOS Instructor-led discussion
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY24 SOFTWARE RESTRICTION POLICIES Software restriction policies are security settings in a GPO provided to identify software and control its ability to run on a local computer, site, domain, or organizational unit (OU). Software restriction policies protect your computer environment from unknown code by enabling you to identify and specify the applications allowed to run. Software restriction policies are security settings in a GPO provided to identify software and control its ability to run on a local computer, site, domain, or organizational unit (OU). Software restriction policies protect your computer environment from unknown code by enabling you to identify and specify the applications allowed to run.
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY25 UNDERSTANDING SOFTWARE RESTRICTION POLICIES Software restriction policies allow you to do the following: Control the ability of programs to run on a system Permit users to run only specific files on multiuser computers Decide who can add trusted publishers to your computer Control who is affected by software restriction policies Prevent files from running on your local computer, OU, site, or domain Software restriction policies allow you to do the following: Control the ability of programs to run on a system Permit users to run only specific files on multiuser computers Decide who can add trusted publishers to your computer Control who is affected by software restriction policies Prevent files from running on your local computer, OU, site, or domain
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY26 DEFAULT SECURITY LEVELS Software restriction policies run on one of two default security levels: Unrestricted—Allows software to run with the full rights of the user who is logged on to the computer Disallowed—Does not allow the software to run, regardless of the access rights of the user who is logged on to the computer Software restriction policies run on one of two default security levels: Unrestricted—Allows software to run with the full rights of the user who is logged on to the computer Disallowed—Does not allow the software to run, regardless of the access rights of the user who is logged on to the computer
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY27 HOW SOFTWARE RESTRICTION POLICIES WORK In software restriction policies, software can be identified by Hash Certificate Path Internet zone In software restriction policies, software can be identified by Hash Certificate Path Internet zone
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY28 RULES Software restriction policies identify and control the running of software by using rules. There are four types of rules: Hash rule Certificate rule Path rule Internet zone rule Software restriction policies identify and control the running of software by using rules. There are four types of rules: Hash rule Certificate rule Path rule Internet zone rule
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY29 RULE PRECEDENCE Rules are applied in the following order of precedence, from highest to lowest: 1. Hash rule 2. Certificate rule 3. Path rule 4. Internet zone rule Rules are applied in the following order of precedence, from highest to lowest: 1. Hash rule 2. Certificate rule 3. Path rule 4. Internet zone rule
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY30 IMPLEMENTING SOFTWARE RESTRICTION POLICIES Set the default security level. Create rules. Designate file types. Set the default security level. Create rules. Designate file types.
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY31 BEST PRACTICES FOR SOFTWARE RESTRICTION POLICIES Create a separate GPO for software restriction policies so that you can disable them in an emergency without affecting the rest of your security settings. Test a software restriction policy before applying it to other computers. If you must edit a software restriction policy, first disable it. If you experience problems with applied policies, reboot in Safe mode. Use software restriction policies in conjunction with access control settings. Use caution when defining a default setting of Disallowed. Create a separate GPO for software restriction policies so that you can disable them in an emergency without affecting the rest of your security settings. Test a software restriction policy before applying it to other computers. If you must edit a software restriction policy, first disable it. If you experience problems with applied policies, reboot in Safe mode. Use software restriction policies in conjunction with access control settings. Use caution when defining a default setting of Disallowed.
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY32 SOFTWARE RESTRICTION POLICY TROUBLESHOOTING The complexity of software restriction policies can necessitate frequent troubleshooting. In some cases, correct operation can appear to be a problem when it is not. Environments that use a disallowed default policy are inherently more difficult to troubleshoot. The complexity of software restriction policies can necessitate frequent troubleshooting. In some cases, correct operation can appear to be a problem when it is not. Environments that use a disallowed default policy are inherently more difficult to troubleshoot.
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY33 SUMMARY The Software Installation extension in the Group Policy Object Editor console enables administrators to manage the deployment of software from a central location. When you assign an application to a user, the application is advertised to the user on the Start menu the next time the user logs on to a workstation. When you publish an application to users, the application does not appear installed on the users’ computers; however, users can install it. Modifications enable you to customize Windows Installer packages. Modifications can be transform (.mst) or patch (.msp) files. The Software Installation extension in the Group Policy Object Editor console enables administrators to manage the deployment of software from a central location. When you assign an application to a user, the application is advertised to the user on the Start menu the next time the user logs on to a workstation. When you publish an application to users, the application does not appear installed on the users’ computers; however, users can install it. Modifications enable you to customize Windows Installer packages. Modifications can be transform (.mst) or patch (.msp) files.
Chapter 5: MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY34 SUMMARY (CONTINUED) You can redeploy an application previously deployed with Group Policy if there are small changes that must be made to the original configuration. To upgrade software deployed with Group Policy, create a Windows Installer package that contains the upgrade and then configure the upgrade in the Upgrades tab in the Properties dialog box for the package. Windows Server 2003 provides a range of tools to assist you in verifying and diagnosing problems related to deploying software with Group Policy. Software restriction policies are security settings in a GPO provided to identify software and control its ability to run on a local computer, site, domain, or OU. You can redeploy an application previously deployed with Group Policy if there are small changes that must be made to the original configuration. To upgrade software deployed with Group Policy, create a Windows Installer package that contains the upgrade and then configure the upgrade in the Upgrades tab in the Properties dialog box for the package. Windows Server 2003 provides a range of tools to assist you in verifying and diagnosing problems related to deploying software with Group Policy. Software restriction policies are security settings in a GPO provided to identify software and control its ability to run on a local computer, site, domain, or OU.