Tech & Work

Manage client software from your server with group policies

Managing software for your users doesn't have to tie up your time like it used to. Group policies enable you to automate some of the more tedious tasks, like applying service packs and making needed applications available. Brien Posey shows you how.

Software management has always been one of the biggest chores for network administrators. Say, for example, that Microsoft releases a new service pack for Office 2000. Odds are, you'll wind up sacrificing nights or weekends to make sure it's installed on everyone’s computer in a timely basis. Fortunately, Microsoft has addressed this issue in Windows 2000 by allowing you to create a group policy that manages software for you. In this Daily Drill Down, I’ll show you how you can use group policies to deploy and publish applications on your network.

What type of installation do you need?
When you configure the software installation defaults in a group policy, you have a choice or two to make. First, you must choose whether you want to publish the policy or assign it. If you decide to assign the policy, you must then choose whether to base it on the user or on the computer. Let’s begin by discussing the various permutations of these installation options.

Publishing software means that the software is made available to the user but is not forced on the user. If the user decides to install the software, he or she may do so manually through Add/Remove Programs in the Control Panel. Because this is a manual process that must be performed by the user, the publishing option is available on user-based policies but not on computer-based policies.

An assigned application is a little bit more complicated. When you assign an application, you can apply it on either a user basis or a computer basis. If you assign an application on a user basis, the assignment will follow the user from computer to computer. In such a case, the application is available to the user after the next login and is installed either through a desktop icon or shortcut on the Start menu or when the user opens a document that’s associated with the application.

If, on the other hand, you assign an application to a computer, the application is usually considered to be mandatory for that computer. In such a case, the software is installed automatically the next time that the system is rebooted. Unlike with applications that have been published or that have been installed on a user basis, users can't uninstall applications that are assigned to a computer. They can, however, run a repair on such applications by reinstalling them.

With all of the criteria and stipulations involved in these various types of software installations, you may be wondering when it’s appropriate to use which type. Typically, publishing applications is appropriate when users don't necessarily require a piece of software to get their job done but may find the software helpful. For example, if a user doesn't require Microsoft Excel, but you have a few extra licenses available, you might consider publishing it. By doing so, you will conserve licenses because the Excel installation program will be out of sight most of the time. Many users will forget that the program is available or won’t know how to install it, but it will be there for those who need to use it occasionally.

Assigning applications to users is a generally a good idea when users need a program to get their job done. With assigned applications, the Setup program is clearly visible on the desktop or on the Start menu, so it's easy for users to install the application.

Assigning an application to a computer is typically reserved for situations where you don’t want users to have any choice about the application. For example, I recommend this approach for service packs, hot fixes, and of course, your company’s antivirus software. Assigning an application to a computer is also useful for keeping everyone on the same version of an application. Any time you make a new version of an application available, you’ll have some users who can’t wait to try it out and other users who refuse to upgrade. Usually, this won’t cause any immediate problems, but as time goes on, some users will wind up a couple of versions behind. If this causes problems for the company, you can bring everyone up to date by assigning the application to the computer.

Publishing and assigning applications
Now that you know the difference between publishing and assigning applications and when to use which technique, let’s look at the procedure for each type of installation.

Regardless of whether you want to publish or assign an application, the first step is to open the group policy object you plan to use. If you haven’t created a group policy object, you can open the default domain group policy object by entering the MMC command at the Run prompt. Doing so will launch an empty Microsoft Management Console session. Now, select the Add/Remove Snap-In command from the Console menu to open the Add/Remove Snap-In Properties sheet. Click the Add button on the General tab to display a list of the available snap-ins, select Group Policy from the list, and then click the Add button.

At this point, you’ll see a screen explaining that the group policy object can exist either on the local machine or in the Active Directory. The default is to store the policy on the local machine, but you need to store it in the Active Directory instead. To change this setting, click the Browse button. You’ll now be able to browse for a group policy object. Unless you already have one set up, select the Default Domain Policy, click OK, and then click Finish, Close, and OK.

Now you can select either User Configuration or Computer Configuration, depending on whether you want to publish or assign the application on a user basis or assign it on a computer basis. For the purposes of this article, let's assume that you’re assigning the application on a user basis. Beneath User Configuration, navigate to Software Settings | Software Installation. Right-click on Software Installation and select the New | Package command from the resulting context menu. You’ll see a dialog box that prompts you for the location of the software distribution point.

Remember that the software distribution point should be shared and should contain the Windows installer package. If you haven’t configured sharing for the folder that you want to use as a software distribution point, you should do so immediately after setting up the group policy.

Now, select the Windows Installer file and click the Open button. If you see a message stating that Windows can’t verify the network path, it probably means that you referenced the installer file through a local drive rather than through My Network Places. To see whether this is the case, look in the title bar of the message box to see if it contains a drive letter (C:\Installer\Test.msi) instead of a network path (\\Animal\C$\Installer\Test.msi).

You should now see the Deploy Software dialog box, which asks whether you want to publish the application or assign it. (Note that if you had chosen to use the Computer Configuration portion of the group policy object, the Publish option wouldn't be available.) Select the option to assign the application and click OK.

Modifying a software installation package before publishing or assigning
You may have noticed that the Deploy Software dialog box actually contains three options instead of the two you might expect. The extra option, Advanced Publish Or Assign, lets you modify the software installation package as part of the process of configuring publish or assign options. To modify a software installation package, Windows doesn’t actually alter the package itself. As you may recall, a software installation package uses the .msi file extension. When you modify the package, Windows creates another file that uses the .mst extension. You can actually create multiple modification files and apply them in layers. Doing so allows you to create custom .mst files that apply to different users in different situations. For example, you could create customizations that would cause certain users not to receive PowerPoint.

To modify the installation package for a piece of software, select the Advanced Publish Or Assign option and click OK. When Windows displays the application’s properties sheet, select the Modifications tab. There, you can add, remove, and change the order of modification files by using the Add, Remove, Move Up, and Move Down buttons. A word of warning, though: Don’t click OK until you’re absolutely sure that you’ve installed the correct modification packages and that they're listed in the correct order. When you click OK, the installation package (and associated modification packages) will be assigned or published immediately. Therefore, if the modification packages are incorrect, you’ll have to completely uninstall the package and replace it with the correct version.

File extension-based installations
Earlier, I mentioned that you can make Windows automatically install an application when a user tries to open a document that’s associated with the application. This idea leaves a big question to be answered. How does Windows know which application is associated with a file extension if the application isn’t installed on the machine?

Automatic installation based on file extensions is configured through the group policy object. For example, suppose that a user who doesn’t have Microsoft Word installed tries to open a document with the .doc extension. It’s possible to have a group policy in place that tells Windows to automatically install Microsoft Word and display the requested document if a user tries to open the .doc file.

To enable file extension-based installations, go back to the Software Installation object in the group policy object you’ve been working with and right-click on Software Installation. Select the Properties command from the Context menu to open the Software Installation Properties sheet and then select the File Extensions tab.

The File Extensions tab deserves a little explaining. First, the Select File Extension drop-down list at the top of the tab contains only the file extensions that the server knows about. Therefore, if you’ve set up a software installation package for Microsoft Office, the .doc extension will be on the list. If you haven't, .doc won’t appear on the list of available extensions unless some other program has registered the extension. The Application Precedence list contains all of the applications that can accept files of the chosen extension type. You must choose which applications you want to use the chosen extension by moving them up and down in the list via the Up and Down buttons.

Application categories
As you look at the Software Installation Properties sheet, you'll notice it includes a Categories tab. This tab is useful when you have a lot of published applications. You can group applications by categories that you create. By categorizing applications, you can perform mass installations according to function. For example, if you have a lot of spreadsheet programs, you could create a category called Spreadsheets. When the time comes to provide users with this functionality, you can simply create a group policy to deploy all the spreadsheet applications at one time. To create a category, just click the Add button. When you do, you’ll be prompted to enter the name for a new category. Unlike many of the other settings we’ve looked at, the categories you create are available on a domain-wide basis, not just to users of a particular group policy object.

You can greatly ease the administrative burden of software management by creating a group policy that’s designed to manage software for you. You can assign users software that applies the latest service packs without having to worry about visiting each machine. You can also publish software that allows users to access software on an as-needed basis.

Editor's Picks