• FAQs
• Articles
• Tutorials
• Web Tools
• Reference
• Blog
• Proxy
• Software
• Cell Phones

• Active Directory Articles
• Understanding Active Directory
• Active Directory Management Tools
• Active Directory Objects
• Active Directory replication
• Active Directory Security
• Active Directory Security Principal Accounts
• Active Directory Terminology and Concepts
• Backing Up and Restoring Active Directory
• Configuring and Troubleshooting Active Directory Replication
• Managing Active Directory Performance
• Publishing Resources in Active Directory
• Troubleshooting Active Directory availability
• What is New in Windows Server 2003 Active Directory
• Deploying Software through Group Policy
• Group Policy Terminology and Concepts
• Implementing and Managing Group Policy Objects
• Implementing Folder Redirection using Group Policy
• Planning a Group Policy
• Troubleshooting Group Policy
• Creating and Managing Domain Controllers
• Creating and Managing Forests and Domains
• Forest and Domain Functional Levels
• The Global Catalog Server
• Managing Recipient Objects Address List and Distribution and Administrative Groups
• Operations Master Roles
• Understanding Forests and Domains
• Understanding Group Types and Scopes
• Understanding Organizational Units
• Understanding Trust Relationship
• Articles Menu
• » Windows Server
• » Microsoft Networking
• » Microsoft Security
• » Active Directory
• » Microsoft IIS
• » Microsoft IPSec
• » Microsoft DNS
• » Microsoft DHCP
• » Microsoft WINS
• » Microsoft Filesystems
• » Remote Access
• » Microsoft Exchange
• » Microsoft SMS
• » Microsoft ISA Server
• » Microsoft Biztalk Server
• Main Menu
• » Networking
• » Physical Layer
• » Data Link Layer
• » Network Layer
• » Network Security
• » Wireless Networks
• » VoIP
• » Telephony
• » Mobile Telephony
• » Electronics
• » Radio
• » Television
• » Cryptology
• » Passwords
• » Smart Cards
• » Privacy
• » Malware
• » Vulnerabilities
• » Unix
• » Macintosh
• » Microsoft Windows
• » The Web
• » Web Publishing
• » E-mail
• » Instant Messaging
• » Databases
• » Computer Hardware
• » CPU's
• » Memory
• » Storage
• » Video
• » Audio
• » Multimedia
• » Satellite
• » Java
• » IT Management
• » Science
• » Miscellaneous

Deploying Software Through Group Policy

An Overview on Software Deployment with Group Policy

When Active Directory was launched in Windows 2000, one of its key design features was to ease the process of deploying software within an organization. To this end, Microsoft included the ability to deploy and distribute software using Group Policy. IntelliMirror technologies include Group Policy software installation to simplify the management necessary for large quantities of users and computers. The Software Installation and Maintenance component of the IntelliMirror technologies can be used to publish applications over the network. Publishing is the terminology used to make applications available for installation from over the network. The Software Installation and Maintenance component can also be used to automatically install applications based on certain predefined criteria on computers. For instance, applications can be automatically installed on computers, based on specific users or groups; or it can be automatically installed on specified computers. The Software Installation and Maintenance component can also be used to uninstall applications. To make these capabilities available, the Software Installation and Maintenance component of the IntelliMirror technologies interrelates with Group Policy and the Active Directory directory service.

In order to deploy software with Group Policy, the following conditions apply:

• The organization must be running a Windows 2000 or Windows Server 2003 Active Directory domain.
• Client computers must be running Windows 2000 Professional or later.

When using Group Policy to deploy software in your Active Directory domain, you basically need to edit an existing Group Policy Object (GPO), or create a new GPO. The GPO needs to be linked to a site, domain, or organizational unit (OU). A GPO that is linked to one these components has a Software Installation node located under the Computer Configuration node, and a software installation node located under the User Configuration node. You can access a GPO linked to a site, domain, or OU, through the Group Policy Editor console. The Software Installation node in the Group Policy Object Editor console can be considered the main tool used to deploy software. The Software Installation node also enables the centralized management of the initial deployment of software and the removal of software. You can also centrally manage software upgrades, hotfixes, and patches from this location.

Deploying software through Group Policy encompasses two types of software deployment:

• Assigning applications: You should assign applications if certain users should have the applications available, irrespective of the actual computer the user is logged on to. Applications that are assigned are advertised to the user on the Start menu and are installed on initial use. You can specify that the application be installed when the user next logs on to the workstation. Advertising is the process by which the application is prepared for installation. When Group Policy is used to deploy software, and the software is included in the GPO linked to a site, domain, or OU; the software is referred to as being advertised to the user and computer. If you are assigning the application to a user, you have to use the Software Installation node under User Configuration node, Software Settings. If you are assigning the application to a computer, you have to use the Software Installation node under Computer Configuration, Software Settings.
The process that occurs when assigning applications is listed below:
1. When the user logs on to the client computer, the WinLogon process advertises the application(s) on the Start menu, or on the desktop of the user.
2. The user selects the application from either one of these locations.
3. The Windows Installer service obtains the Windows Installer package for the selected application.
4. The request for the software is next passed on to the software distribution point (SDP).
5. The Windows Installer service initiates, and then installs the Windows Installer package for the requested software.
6. The Windows Installer service opens the application for the user.
• Publishing applications: When an application is published in Active Directory, the application is advertised to users in Control Panel, in the Add/Remove Programs applet. What this means is that the application is not automatically installed for the user, and the user actually controls whether and when the application is installed. The user also controls the uninstallation of the application.

  The process that occurs when publishing applications is listed below:

  1. The user logs on the client computer, and opens the Add Or Remove applet in Control Panel.
  2. The Add Or Remove applet gets its information on which software is available for installation from Active Directory.
  3. The user proceeds to select which application to install.
  4. The Add Or Remove applet obtains the location of the software from Active Directory.
  5. The request for the software is next passed on to the software distribution point (SDP).
  6. The Windows Installer service initiates, and then installs the Windows Installer package for the requested software.
  7. The user is now able to access the installed application.

In Group Policy, Software Installation utilizes the Windows Installer service to maintain and manage the state of software installation. The service runs in the background and enables the operating system (OS) to manage software installation based on information stored in the Windows Installer package.

Group Policy Software Installation Components

The components involved in deploying software through Group Policy are discussed next.

• Windows Installer package: This is a file with an .msi file extension that holds the instructions for installing, configuring, and removing software. The types of Windows installer packages are:
• Native Windows Installer package files: This type of Windows installer package is developed as a component of the software. The Windows Installer service can be fully utilized. The Native Windows Installer package files include one product that has numerous features which can be installed individually.
• Repackaged application files: The difference between the two packages is that repackaged application files include one product that is installed as one feature.
• Transforms: Another term used for transforms is modifications. A transform is basically a record of changes which were made to the original package file. Transforms enable you to customize Windows Installer packages and the installation features when you publish or assign the application. Through transforms, you can include features for the installation, and exclude features for the installation. The types of customization files which you can configure are listed below. Transform files have a .mst file extension:
• Transform files: Transform files enable you to customize the installation of the application.
• Patch Files: These files have a .msp file extension, are used to update existing Windows Installer packages with additional information, and are used for the following purposes:
• Software patches
• Service Packs
• Software Updates
• Application files: These are text files with a .zap file extension which include instructions on how to publish an application. Because .zap files do not support Windows Installer features, they are used to deploy and install applications using its original Setup.exe or Install.exe program.

Planning for Deploying Software using Group Policy

When planning for deploying software through Group Policy, include the following:

• When planning to deploy software through group policy, you should encompass the software requirements of the organization into your strategy. Assess the organizational structure in Active Directory and identify the available GPOs.
• Define the manner in which the applications are going to be deployed to users or computers. Are the applications going to be published in Active Directory, or assigned to users and computers?
• Test the manner in which the applications are going to be assigned to published.

A few best practices and strategies to consider are listed below:

• Software can be deployed at the site level, domain level, or organizational unit level in Active Directory. It is recommended that you deploy software as high in the Active Directory hierarchy or tree as you can. Software should be deployed close to the root in the Active Directory tree because it allows you to use one GPO to deploy software to multiple users.
• You should deploy multiple applications with a single GPO because it is easier to administer multiple applications from the same GPO than to manage multiple GPOs. User logon time is also accelerated because less GPOs need to be processed.
• If you have different users and computers that need different applications deployed, you should create OUs according to these software management requirements, place the necessary users or computers in the OU, and then apply the GPO containing the software that should be deployed.

The Process for Deploying Software through Group Policy

The general process necessary to deploy software through Group Policy is summarized below:

• Create software distribution points (SDPs): One of the steps in deploying software is to ensure that users are able to access the necessary files. SDPs are the shared folders on the network that contains the files needed to install the deployed applications. Each user that will need to deploy software should be able to access the SDP. The NTFS permissions should be Read and Execute for the SDP and the necessary subfolders, so that users have permissions to access the folder that contains the software installation package.
• Create a GPO for software deployment, and a GPO console for software deployment: When deploying software through Group Policy, the Group Policy Object Editor is used for the following tasks:
• Configure software deployment installation options.
• Assign applications
• Publish applications
• Upgrade applications
• Remove managed applications.
• Configure the software deployment installation properties for the GPO: The Software Installation Properties dialog box contains four tabs which is used to set configuration options for the software that should be deployed:
  • General tab: This is where you set the default location of all packages, set the default value for publishing or assigning, and set installation user interface options.
  • Advanced tab: This tab includes options such as automatically uninstalling applications when the GPO no longer applies to the user or computer, storing Object Linking and Embedding (OLE) information in Active Directory, and enabling 64-bit Windows clients to install 32-bit Windows Installer applications.
  • File Extensions tab: You configure which file extensions should be accessed by applications on the File Extensions tab.
  • Categories tab: Applications categories serve a useful purpose when your organization has a large quantity of published applications. The Categories tab allows you to create and organize applications by categories, so users are able to easily locate the applications in the Add/Remove Programs applet of Control Panel.
• Add the installation packages to the GPO: In this step, you add the installation packages to the GPO, and you specify whether the application is to be assigned or published to users and computers
• Configuring Windows Installer package properties: Once a Windows Installer package is added to a GPO, you can change the properties of the package to modify the category of the application, whether the application is assigned or published, configure security settings, and add or remove transforms (modifications). The Properties dialog box for the Windows Installer package is where you configure Windows Installer package properties, using the tabs listed below.
• General tab: This is where you change the default name of the package. You can also select a support URL to direct users to a support Web page. Users can choose the support URL from the Add Or Remove Programs applet.
• Deployment tab: On the Deployment tab, you can select settings for the following:
• Deployment type
• Deployment options
• Installation user interface options
• Upgrades tab: The Upgrades tab is not available for packages which were created from application files, or .zap files. The tab is used to install upgrades. The first step though is to create a Windows Installer package that contains the upgrade. The second step it configure settings for the upgrade in the Upgrades tab.
• Categories tab: This is where you set application categories so that users can easily locate the application in the Add Or Remove Programs applet in Control Panel.
• Modifications tab: This is where you customize an installation package by adding or removing transforms.
• Security tab. You configure the users or groups which should be able to access the application on the Security tab.

How to create a software distribution point (SDP)

1. Log on to the file server that you want to use as a SDP.
2. Create the network share for the software, and the necessary folders for the software
3. The permissions that should be configured are listed below:
• Administrators: Full Control
• Everyone or Authenticated Users: Read
• Domain Computers: Read
4. Copy the software, including all necessary files and components to the SDP.

How to create or open a GPO and a GPO console for software deployment

To create a new GPO,

1. To create and link a GPO to a site, open the Active Directory Sites And Services. To create and link a GPO to a domain or OU, open the Active Directory Users and Computers console.
2. Right-click the site, domain, or OU, and then click Properties on the shortcut menu.
3. When the Properties dialog box of the site, domain, or OU opens; click the Group Policy tab.
4. Click New, and enter a name for the GPO.
5. Click Close. The GPO is by default linked to the site, domain, or OU in which you created it.

To open an existing domain level GPO or OU level GPO,

1. Open the Active Directory Users and Computers console.
2. Right-click the domain or OU in the left console pane, and click Properties on the shortcut menu.
3. Click the Group Policy tab.
4. In the Group Policy Object Links list, select the GPO and click Edit.
5. The GPO is opened in the Group Policy Object Editor console.

To open an existing site level GPO,

1. Open the Active Directory Sites and Services console.
2. Expand the Sites node
3. Right-click the site in the details pane, and click Properties on the shortcut menu.
4. Click the Group Policy tab.
5. In the Group Policy Object Links list, select the GPO and click Edit.
6. The GPO is opened in the Group Policy Object Editor console.

To create an MMC for a GPO,

1. Click Start, Run, enter mmc in the Run dialog box, and click OK.
2. On the File menu, click Add/Remove Snap-In.
3. Click Add in the Add/Remove Snap-In dialog box to access the Add/Remove Snap-In dialog box. Click Add.
4. Select Group Policy Object Editor, and click Add.
5. Click Browse to find the GPO.
6. Click the All tab in the Browse For A Group Policy Object dialog box.
7. Select the GPO. Click OK
8. Close all open dialog boxes, and then in the MMC, on the File menu, click Save As.
9. Provide a name in the File Name box. Click Save.
10. The Group Policy Object Editor for the GPO can now be accessed under the Administrative Tools menu.

How to open the Software Installation snap-in

The Software Installation snap-in is a component of the Group Policy Object Editor.

1. Open either the Active Directory Users and Computers console, or the Active Directory Sites and Services console.
2. Right-click the site, domain, or OU and then click Properties from the shortcut menu.
3. Click the Group Policy tab.
4. Either create a new GPO, or edit an existing GPO.
5. Click the Properties button, and then click the Security tab. Set the appropriate permissions for the GPO. Click OK
6. Choose the GPO, and click Edit.
7. In the console tree, choose Computer Configuration to assign applications to computers, or choose User Configuration to assign or publish applications to users.

How to configure software deployment installation properties for the GPO

Using Group Policy to deploy software, allows you to configure numerous settings and options to control the manner in which software packages are deployed and administered within your organization. If you want to perform one of the administrative tasks listed below, use the configuration steps detailed after the listed administrative task:

• Modify the default location for your installation packages.
• Configure the default action that should be performed when new packages are added to the GPO.
• Define how much installation information is displayed to users during the installation process
• Modify the quantity of control which users have over installing applications
• Configure the automatic uninstallation of applications when the GPO no longer applies to users and computers.

1. Open the appropriate GPO for the software deployment
2. In the console tree, proceed to expand either the User Configuration node, or the Computer Configuration node
3. Right-click the Software Installation node and click Properties on the shortcut menu.
4. When the Software Installation Properties dialog box opens, in the Default Package Location box of the General tab, enter the Uniform Naming Convention (UNC) path to the SDP for the Windows Installer packages.
5. You can configure the default action that should be performed on new packages in the New Packages section of the General tab. You choose one of the options listed below:
• Display The Deploy Software Dialog Box: This the default configuration setting. The Deploy Software dialog box will be displayed when new packages are added to the GPO. On this dialog box, you can choose whether to assign or publish the application, or configure the properties of the package.
• Publish: Remember that applications can only be published to users, and not computers. Therefore, this setting is only available for User Configuration. When the option is selected, the application is automatically published with the default package properties or settings.
• Assign: When the Assign option is selected, any new software installation packages added to the GPO are automatically assigned with the default package properties or settings
• Advanced: When a new software installation package is added to the GPO, the properties dialog box of the package is displayed. You can then configure the properties for the installation package.
6. In the Installation User Interface Options section of the General tab, you can choose one of the following options:
• Basic: When selected, users are shown limited information on the installation process.
• Maximum: When selected, users are shown all the installation messages and screens on the installation process.
7. Click the Advanced tab.
8. Select the Uninstall The Applications When They Fall Out Of The Scope Of Management checkbox to automatically remove the application if the GPO no longer applies to users or computers.
9. Select the Include OLE Information When Deploying Applications checkbox if information on Component Object Model (COM) components should be included with the package.
10. Select the Make 32-Bit X86 Windows Installer Applications Available To Win64 Machines checkbox to enable 64-bit Windows client computers to install 32-bit Windows Installer applications.
11. Select the Make 32-Bit X86 Down-Level (ZAP) Applications Available To Win64 Machines checkbox to enable 64-bit client computers to install applications published using a .zap file (application files).

How to configure the default application for the specified file extension

You would normally need to associate a file extension with an application when you have multiple applications which can use a specified file format.

1. Open the appropriate GPO console.
2. In the console tree, proceed to expand either the User Configuration node, or the Computer Configuration node
3. Right-click the Software Installation node and click Properties on the shortcut menu.
4. When the Software Installation Properties dialog box opens, click the File Extensions tab.
5. Use the Select File Extension list to check which applications are associated with the file extension.
6. You can use the Up or Down buttons of the Application Precedence list box, to move an application that should be the default application for the particular extension to the top of the list.
7. Click OK.

How to create application categories for applications that are published

1. Open the appropriate GPO console.
2. In the console tree, proceed to expand either the User Configuration node, or the Computer Configuration node
3. Right-click the Software Installation node and click Properties on the shortcut menu.
4. When the Software Installation Properties dialog box opens, click the Categories tab.
5. Click Add to add a new application category.
6. In the Enter New Category dialog box, specify a name for the new category in the Category box. Click OK.
7. If you want to remove an existing application category, select the category in the Categories tab, and then click Remove.
8. If you want to change the name of an existing application category, select the category in the Categories tab, and then click Modify.
9. Click OK.

How to change the default software installation behavior over slow network links

When using Group Policy, Group Policy considers all network connections which are slower than 500 Kbps as slow links (default). At this point, the policies listed below are disabled:

• Disk Quotas
• Folder Redirection
• Scripts
• Software Installation And Maintenance

You can however change the speed which Group Policy considers slow, to change the default software installation behavior over slow network links. In addition to this, you can enable or disable the processing of policies listed below over a slow link:

• Disk Quota, EFS Recovery, Folder Redirection, Internet Explorer Maintenance, IP Security, Scripts, Software Installation, and Security.

To change the default speed which Group Policy considers slow,

1. Open the GPO console.
2. In the console tree, proceed to expand either the User Configuration node, or the Computer Configuration node, then expand Administrative Templates, System and Group Policy.
3. Double-click Group Policy Slow Link Detection in the details pane.
4. When the Group Policy Slow Link Detection Properties dialog box opens, select Enabled, and enter the speed which should be used to define whether a connection is slow. Entering a value of 0, disables slow link detection.
5. Click OK.

How to add the Windows Installer packages to the GPO

1. Open the GPO console.
2. In the console tree, proceed to expand either the User Configuration node, or the Computer Configuration node, and then expand the Software Installation node.
3. Right-click the Software Installation node, and click New and then Package on the shortcut menu.
4. In the Files Of Type list, choose Windows Installer Package or choose ZAW Down-Level Application Packages (.ZAP).
5. Choose the package that should be deployed. Click Open.
6. In the Deploy Software dialog box you have to specify how the package should be deployed. You can choose one of the following options:
• Published: The Windows Installer package is published to users in Active Directory with the default settings.
• Assigned: The Windows Installer package is assigned to users or computers with the default settings.
• Advanced: The option allows you to configure properties for the Windows Installer package.
7. Click OK.

How to configuring Windows Installer package properties

You can change the Windows Installer package properties after the package is added to the GPO. To change the category of the application, the deployment type, and security settings;

1. Open the GPO console.
2. In the console tree, proceed to expand either the User Configuration node, or the Computer Configuration node, and then expand the Software Installation node.
3. In the details pane, right-click the software package you want to modify, and select Properties on the shortcut menu.
4. On the General tab you can enter a new name for the package in the Name box, and enter a support URL for users in the URL box.
5. Click the Deployment tab if you want to change the existing manner in which the package is deployed.
6. In the Deployment Type section of the Deployment tab, you can select the Published option, or the Assigned option.
7. In the Deployment Options section of the Deployment tab, you can select the following checkboxes:
• Auto-Install This Application By File Extension Activation: The application is automatically installed when a user opens a file which is associated with the application.
• Uninstall This Application When It Falls Out Of The Scope Of Management: The application is uninstalled when the associated GPO is no longer applicable for the user or computer.
• Do Not Display This Package In The Add/Remove Programs Control Panel: The application is not displayed in the Add/Remove Programs applet in Control Panel.
• Install This Application At Logon: The application is installed when the user next logs on to the computer.
8. In the Installation User Interface Options section of the Deployment tab, you can choose either the Basic option, or the Maximum option.
9. Click the Advanced button on the Deployment tab to open the Advanced Deployment Options dialog box.
10. You can set the options listed below under Advanced Deployment Options:
• Ignore Language When Deploying This Package: Deploys the package, even when the language in the package is in a different language. The option basically ignores the language settings when the package is deployed
• Make This 32-Bit X86 Application Available To Win64 Machines: Enables 64-bit Windows client computers to install 32-bit Windows Installer applications.
• Include OLE Class And Product Information: Information on Component Object Model (COM) components is included with the package.
11. Click OK
12. Click the Categories tab to assign the application to an application category.
13. Click the Security tab configure the users or groups which should be able to access the application.
14. Click OK.

How to deploy package upgrades

1. Open the GPO console.
2. In the console tree, proceed to expand either the User Configuration node, or the Computer Configuration node, and then expand the Software Installation node.
3. In the details pane, right-click the upgrade package and then select Properties on the shortcut menu.
4. Click the Upgrades tab.
5. Click Add.
6. In the Add Upgrade Package dialog box select whether you are going to choose a package from the current GPO, or from a specific GPO.
7. Choose the package that should be upgraded from the Package To Upgrade list.
8. If the existing application should be removed before the new application is installed, click the Uninstall The Existing Package, Then Install The Upgrade Package option.
9. If the new package should upgrade the existing package, click the Package Can Upgrade Over The Existing Package option. This option does not overwrite the existing settings of the user.
10. Click OK on the Add Upgrade Package dialog box.
11. Use the Add button and Remove button on the Upgrade tab to specify the packages that the new package should upgrade.
12. Enable the Required Upgrade For Existing Packages checkbox if you want to force users to upgrade to the new package.
13. Click OK.

How to apply package modifications

1. Open the GPO console.
2. In the console tree, proceed to expand either the User Configuration node, or the Computer Configuration node, and then expand the Software Installation node.
3. Right-click the Software Installation node, and select New and then Package from the shortcut menu.
4. Choose the base package for the application which should be deployed. Click Open.
5. Use the My Network Places icon to locate to this package.
6. Choose either Published or Assigned in the Deploy Software dialog box. Click OK.
7. Click the Modifications tab.
8. Click Add, and choose the Windows Installer transform package that should be added in the Open dialog box. Click Open. You can add multiple modifications.
9. You can use the Move Up and Move Down buttons on the Modifications tab to place the packages in the appropriate order. Use the Add and Remove buttons to add or remove transforms.
10. Click OK.

How to remove applications deployed with Group Policy

1. Open the GPO console.
2. In the console tree, proceed to expand either the User Configuration node, or the Computer Configuration node, and then expand the Software Installation node.
3. Right-click the package that you want remove in the details pane, and select All Tasks, and then Remove from the shortcut menu.
4. When the Remove Software dialog box opens, select one of the options listed below:
• Immediately Uninstall The Software From Users And Computers, to immediately remove the software when the computer is restarted, or at the next time when the user logs on to the computer.
• Allow Users To Continue To Use The Software, But Prevent New Installations: This option prevents new instances of the application from being installed, while still permitting users who have already installed the application, to continue using the application.
5. Click OK.

Best Practices for Deploying Software Through Group Policy

A few best practices specific to deploying software through Group Policy is listed below:

• Test all software installation packages before you deploy them.
• Use and enforce standard configurations for applications, if possible
• It is recommended that you deploy software as high in the Active Directory hierarchy or tree as you can. Software should be deployed close to the root in the Active Directory tree because it allows you to use one GPO to deploy software to multiple users.
• A Windows Installer package should be assigned/published only once in the identical GPO.
• Create application categories when you have a large quantity of published applications within your organization. This makes is easier for users to find applications in Add Or Remove Programs in Control Panel.

Bookmark Deploying Software Through Group Policy

Latest Blog Posts

• Acai Berry Spam via MSN

• Obama Seeks Power to Shut Down the Internet

• Help Beta Test Tech-FAQ 2.0!

• Windows 7 Forum

• Boston College: Ability to Use a Command Line is a Sign of Criminal Activity

• Google Hacked?

• Recycle your old phone – Make some money, and save the environment too!

• SourceForge vs. Freshmeat

• Fastest Web Browser: Google Chrome

• New Webmaster Forum