Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
programming4us
Windows 7

Group Policy Settings (part 2) - Deploying an Application via Group Policy & AppLocker

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
6/9/2011 9:32:49 AM

3. Deploying an Application via Group Policy

You can also use Group Policy to deploy applications. For small-to-medium-size enterprises, this can be very useful to deploy, update, and maintain applications on multiple computers in a network.

Any application that is installed with a Microsoft installer (.msi) package can be deployed via Group Policy. The application is first copied to a share on a server that is available to clients in the network, and then the GPO is configured to deploy the application.

Applications are either assigned or published.

3.1. Assigning Applications

An application can be assigned to a computer or a user. When assigned to a computer, it is installed on the next startup cycle. When assigned to a user, it is advertised on the Start menu and installed when the user starts the program.

In addition, the application will be installed if the user attempts to open a file that requires it. For example, if Microsoft Excel is assigned to a user, it will be installed if the user double-clicks a document with an .xls or .xlsx extension.

In many environments, users have a single computer that they use all the time. If you want these users to have a specific application, assigning it to the computer is often the best method. You can force a reboot during nonworking hours so that you have a little control of when the application is deployed over the network.

If you need more control over when an application is deployed, you can use advanced server products such as System Center Configuration Manager (SCCM). SCCM is a Microsoft server product that can be purchased, and it allows you to schedule deployments of applications and also deploy images of systems, deploy updates, and more.


If you expect few users to need the application at the same time, you can assign it to the users so that it's available on the Start menu. Because users will need it at different times, the actual deployment will be staggered.

3.2. Publishing Applications

Applications can be published to users but not to computers. When published to a user, an application is available to be installed via Control Panel by clicking the Get Programs link under Programs. The application will also be installed if the user attempts to open a file that requires it. Figure 4 shows how a program appears in Control Panel when it is published.

Publishing an application to a user can be useful if you want the application to be widely available but expect only a limited number of users to install it. Since it isn't advertised on the Start menu, a limited number of users will see it.

Figure 4. A published application available to a user from Control Panel

3.3. Configuring Software Installation

The Group Policy settings to deploy applications are located in the Computer Configuration => Policies => Software Settings => Software Installation node for computers and the User Configuration => Policies => Software Settings => Software Installation node for users.

If you want to deploy an application to users or computers in your network, you should take the following steps:

  1. Stage the application. Create a share on a server and copy the .msi file to the share. The share should be available using a UNC path.

  2. Decide if you want to deploy it to computers or users. This can vary depending on how many licenses you've purchased for the application and how the users use applications in your network.

  3. If it will be deployed to users, decide whether you want to assign it or publish it. If it will be deployed to computers, it can only be assigned.

  4. Create a GPO and link it to a site, domain, or OU based on the desired scope of the GPO.

  5. Browse to the Software Installation node. Right-click the node, select New => Package, and point to the package using the UNC path.

  6. Select Assigned or Published.

4. AppLocker

AppLocker can be used to specify which users or groups can run particular applications. AppLocker uses rules that specifically allow or deny applications from running. It is intended to be an improvement over Software Restriction policies available before Windows 7 and Server 2008 R2.

You can access the AppLocker Group Policy settings in the Computer Configuration => Policies => Windows Settings => Security Settings => Application Control Polices node.

Figure 5 shows the AppLocker node in Group Policy. When you first configure a rule, you'll be prompted to create rules. These default rules are intended to ensure that normal operation of the system isn't negatively impacted by the rule. In the figure, the default rules are on the top and labeled Allow, and the one rule on the bottom labeled Deny is the rule created specifically to deny a script for users in the scope of the GPO.

Figure 5. AppLocker script rules

Three types of rules can be implemented:

  • Executable Rules include files with the .exe and .com extensions.

  • Windows Installer Rules include files with the .msi and .msp extensions.

Script Rules include files with the .ps1, .bat, .cmd, .vbs, and .js extensions.

It's also possible to configure DLL rules to restrict execution of .dll and .ocx files. However, using DLL rules will impact the performance of the system because each DLL that is accessed must be checked to see if it is allowed.


Two of the significant improvements of AppLocker over Software Restriction policies are as follows:


Per User and Per Group rules

These are Software Restriction policies applied to all users within the scope of the GPO. AppLocker allows you to specify which users or groups should be granted or denied access.


Audit-only mode

This is new and allows you to test the rules before they're deployed. The rules aren't enforced, but activity is logged.

Other -----------------
- Group Policy Settings (part 1) - Managing User Profiles with Group Policy & Logon and Startup Scripts
- Group Policy and the GPMC (part 3) - Advanced Group Policy Settings
- Group Policy and the GPMC (part 2) - RSAT and the Group Policy Management Console
- Group Policy and the GPMC (part 1) - Enabling a GPO Setting & Applying Multiple GPOs
- Managing Windows 7 in a Domain : Anti-Malware Software
- Managing Windows 7 in a Domain : Understanding User Profiles (part 2)
- Managing Windows 7 in a Domain : Understanding User Profiles (part 1) - Standard Profiles & Roaming Profiles
- Managing Windows 7 in a Domain : Identifying and Resolving Logon Issues
- Managing Windows 7 in a Domain : Authentication vs Authorization
- Managing Windows 7 in a Domain : Joining a Domain
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 windows Phone 7 windows Phone 8
programming4us programming4us
 
programming4us
Natural Miscarriage
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Game Trailer