Configure IT Quick: Create and manage group policies for software distribution

Learn how you can use group policies to publish applications for user installation, remove software, and perform other tasks related to automated software installation via group policies and the Windows Installer.

In the Daily Drill Down entitled “Preparing to deploy applications using group policies,” I showed you how to prepare to centralize software distribution using group policies. In this Daily Drill Down, I’ll explore how you can use group policies to publish applications for user installation, remove software, and perform other tasks related to automated software installation via group policies and the Windows Installer. Some of the steps require quite a bit of planning and involve a learning curve, so think of this Daily Drill Down as a primer to help you understand the big picture and get you moving in the right direction, rather than a step-by-step guide.

Getting ready
At this point, assume that you’ve accomplished all the planning and preparation needed to begin your software deployment. You’ve structured the Active Directory (AD) and adjusted group and Organizational Unit (OU) membership as needed, created or obtained the Installer files and other support files, created the distribution points, tested the application installations under different scenarios (an important step not to be missed), and identified how you will address deployment needs for non-Windows 2000 clients. Now, it’s time to start creating the group policies that will make the whole thing work.

You use the Software Installation node of the Group Policy Editor (GPE) to configure policies for application deployment. You can open the GPE by adding it to a custom MMC console, which enables you to focus the editor on the local group policy object (GPO) as well as on GPOs in AD. Or, you can right-click an object in AD (site, domain, or OU), choose Properties, click the Group Policy tab, and select or create a new GPO to open the GPE.

Setting global properties
Before you begin adding packages, you need to set some global properties. For example, if you are publishing several applications, you should create categories under which the applications will be published. Users in the Accounting department will need a certain set of applications, so you’ll create a category for them. You might create categories for other departments, such as Finance, Support, Administration, Engineering, and so on.

To configure global properties, open the Computer Configuration\Software Settings\Software Installation branch in the Group Policy Editor to configure settings for applications deployed based on computer policy, or open the User Configuration\Software Settings\Software Installation branch to configure options for applications deployed based on user policy. Right-click the Software Installation node and choose Properties. The General page lets you configure a handful of global properties:
  • Default Package Location: Specify the default location from which packages are deployed. This should be in the form of a UNC path unless all users can access the share from the same mapped drive letter.
  • New Packages: Specify the default method for adding new packages. You can choose either Publish or Assign as the default mode, or you can configure the console to display a dialog box so you can choose the Deployment mode when adding a new package. Select the option Advanced Publish Or Assign if you generally use nondefault settings when adding a new package. With this option selected, the console automatically opens the property sheet for the package when you add it, enabling you to specify different settings. If you choose not to use this option, you can still make changes to any package after adding it.
  • Installation User Interface Options: Specify the desired level of installation information you want the user to see during application installation.
  • Uninstall Applications When They Fall Out Of The Scope Of Management: Select this option if you want the application by default to be removed when the GPO no longer applies to the user (more on this later).

The File Extensions page lets you specify how the Installer handles applications installed on demand when the user attempts to open a document for which the application is not yet installed. You might have more than one application that handles a specific document type, so you would use the File Extensions page to prioritize the available packages. The application at the top of the list for a given file type is the one that will be installed by default if available.

Use the Categories page to add categories for applications that you publish. These categories sort the available applications when the user attempts to add applications through the Add/Remove Programs object in Control Panel. Categories are most useful when you have many applications to deploy for several departments or groups. Categories that you add apply to the domain, so you need only define them once. You can, however, apply different categories to the Computer Configuration and User Configuration branches.

Adding packages
When you’re ready to add a package, right-click in the right pane and choose New | Package. The GPE then prompts you for the location of the Installer package. The path you specify becomes a part of the policy, and while you can specify a local path, you should use a UNC path instead to ensure that users can access the location to obtain the package and associated files. In addition to specifying a UNC path, make sure the network share will be available to users who need to install applications from the share. Configure the sharing and NTFS permissions as needed.

After you specify the installation package file, the GPE displays a property sheet for the package. The General page contains read-only information about the package such as version, publisher, and support information. You also specify the package name on the General page.

The Deployment page lets you configure how the application is deployed and removed. Before you configure options, however, you need to understand the difference between publishing and assigning applications. When you publish applications, they don’t appear on the user’s Desktop or in the Start menu. Instead, the applications are available through the Add/Remove Programs object in the user’s Control Panel, and the user can install the application just like a local application. The Add/Remove Programs item displays a list of the available applications, enabling the user to choose which application to install.

You can optionally organize the applications by category (Sales, Support, and so on) if you need to publish several applications and want to make it easier for certain types of users to locate the software they need. You configure the categories when you publish applications (more on that shortly). So publishing applications makes them available to the user for installation but doesn’t make them appear as if they are already installed. (They don’t show up in the Start | Programs menu.)

When you assign applications, however, they do show up in the user’s Start menu as if they were already installed. When the user logs on, the WinLogon process calls the Application Management extension to group policy, which advertises the application(s) in the user’s registry and in the Start menu or on the Desktop. The user installs the application simply by opening the application’s icon—performing an on-demand installation.

You can use either publishing or assignment to make applications available. The choice you make typically depends on the application. All applications that a user must have to get the job done should be assigned; applications that the user can benefit from or might choose to use optionally should be published.

The following list summarizes the options on the Deployment page:
  • Published: Select this option to deploy the application as published.
  • Assigned: Select this option to deploy the application as assigned.
  • Auto-Install This Application By File Extension Activation: Select this option to have the application installed automatically when the user attempts to open a document type that requires the application.
  • Uninstall This Application When It Falls Outside Of The Scope Of Management: Remove the application from the user’s system when the GPO no longer applies to the user. For example, a user who moves from the Accounting department to the Finance department might no longer need the applications associated with the Accounting OU through the OU’s GPO. So, when the user moves from the Accounting OU to the Finance OU, and therefore is no longer under the scope of the GPOs in the Accounting OU (assuming the GPOs are linked to the Finance OU as well), the applications are removed.
  • Do Not Display This Package In The Add/Remove Programs Control Panel: Select this option to prevent the application from appearing in the Add/Remove Programs list.
  • Basic: Select this option to display only basic installation information during application installation.
  • Maximum: Select this option to display all setup information during application installation.
  • Advanced: Select this option to configure the application to ignore language when deploying and to remove previous versions of the application if it was not installed by a group policy-based installation.

Use the Upgrades page of the property sheet to configure update behavior for the package. You can select existing packages that the current package will update and specify that the current package is a required upgrade for existing packages. For example, if your organization currently uses Microsoft Office 2000, you might create an upgrade package to force upgrades when the next version of Office is released. You can select packages to upgrade from the current GPO or browse to a specific GPO.

Use the Categories page of the package’s properties to specify the categories under which it appears. As explained previously, these categories sort the available applications to the user when they open the Add/Remove Programs object to install an application. Although you can assign multiple categories to an application, in most cases you should assign only one to avoid confusion.

If you’ve created transforms to modify the package, add them through the Modifications property page. You can add and remove transforms as well as change their priority.

The last of the property pages—Security—enables you to apply permissions to the package to further control deployment. The Authenticated Users group by default has Read permission on the object, which gives all authenticated users the ability to install the application if they fall under the scope of management. You can, however, use the Security page to explicitly control which users or groups can and cannot install the application. To do so, add the user or group that you want to be able to install the application and grant them Read permission. Then, remove the Read permission from the Authenticated Users group. If users can’t read the object, they won’t be able to install the package, giving you the means to restrict access on a per-group or per-user basis.

After you create a package, you can modify the package as needed. For example, you might decide to change the package from Publish to Assign if all users need it. You can right-click a package and change the installation mode from the package’s Context menu. Choose either Publish or Assign from the Context menu depending on how you want the application deployed. Select the Auto-Install option if you want to change the application’s behavior for automatic installation (when a user attempts to open a document that requires the application). If you need to change other properties, either right-click the package and choose Properties or simply double-click the package. The console displays the same property sheet as when you added the package.

Finally, you can redeploy applications through the console. Right-click the application package and choose All Tasks | Redeploy Application. Clicking Yes in the resulting dialog box causes the application to be reinstalled on all systems where it is currently installed. This ability to automatically redeploy applications can be extremely useful as a means of forcing an update or replacing one version of an application with another that doesn’t support an incremental upgrade mechanism.

Managing applications on a network can be time consuming, especially if you must manage many workstations. Fortunately, you can use group policies to help distribute applications across your network. In this Daily Drill Down, I’ve shown you where you need to go in the Group Policy Editor to configure policies for application deployment and what you must do to distribute applications.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks

Free Newsletters, In your Inbox