Before deploying software using Group Policy, create a
shared folder or DFS folder to store the setup files, and create a GPO
for application deployment, as discussed in this section.
Creating a Software Distribution Point
To deploy applications
using Group Policy, first create a software distribution point on the
network that contains the setup files for the applications. (Make sure
you have volume licenses for the applications.) The best way to do this
is to create a folder structure in DFS. This allows you to alter the
location of the software distribution point without breaking application
deployment, add multiple folder targets for load balancing, and set up
WAN-friendly replication.
To create a software distribution point, use the following steps:
1. | Design and create a DFS or shared folder structure for software.
Create a DFS folder that contains other DFS folders that
categorize software. The second (or third) level of DFS folders usually
contains DFS folders with folder targets that store the actual
installation files. For example, the DFS folder that contains the
Microsoft Office 2003 setup files might be \\example.local\Software\Productivity\Microsoft Office 2003, with the \\Srv2\Software\Productivity\Microsoft Office 2003 folder target.
|
2. | Set
the following NTFS permissions on the software distribution folder.
(Set the share permissions to Everyone = Full Control to prevent
conflicting file and share permissions.)
Important
Permissions
that are incorrectly set are among the most common causes of problems
when deploying software via Group Policy, so verify that file and share
permissions are set properly on the software distribution folder.
|
3. | Copy
the application setup files to the software distribution point, or use
an administrative setup command to install the setup files to the
software distribution point. Consult the software manufacturer for
specific instructions and recommendations.
For example, to install Microsoft Office 2003 to a software distribution point, type D:\Setup.exe/A Pro11.msi, substituting D:\ with the drive letter of the Office CD and Pro11.msi with the .MSI package appropriate for your version of Office. Do not simply copy the setup files.
|
Note
To publish
the software distribution folder in Active Directory so that users can
find the folder when searching Active Directory for shared folders,
right-click the appropriate container in the Active Directory Users and
Computers console, choose New, select Shared Folder, and then type the
path of the DFS folder or shared folder in the Network Path box.
Creating a GPO for Application Deployment
Before adding or administering deployed applications, create a new GPO for the applications. To do so, follow these steps:
More Info
For more information about Group Policy, the Group Policy Object Editor, and the Group Policy Management Console.
1. | Install
the Group Policy Management Console, if necessary, and then open the
Group Policy Management Console from the Administrative Tools folder on
the Start menu.
|
2. | Create a new GPO, and then link it to the appropriate site, domain, or organizational unit (OU).
|
3. | Use the Security Filtering section to apply the GPO to the appropriate groups of users or computers, as shown in Figure 1.
|
Note
Do
not unlink or delete a GPO immediately after using it to uninstall
applications; Windows applies the policy when users log on or restart
their computers, so if you unlink or delete the GPO before these events
occur, Windows does not uninstall the applications.
Use the following list to help plan software deployment via Group Policy: To
deploy applications to certain groups, create multiple GPOs and use the
Security tab to apply each GPO only to the appropriate group. Or change
the security settings for individual programs within a GPO so that only
the appropriate groups have access to the applications . Assign
GPOs as high up in the Active Directory tree as possible. If all users
in a domain need Microsoft Word and Microsoft Excel, put those
applications in a GPO that applies to that domain, not in a separate
policy for each OU. Test
software deployment in a lab, and use OUs to pilot software deployment
in a production network. For example, create a GPO and test it in a
single OU. If the GPO functions properly, unlink it from the OU and link
it to the appropriate domain. (Do not assign or publish the same
applications to the same users or computers in multiple GPOs.) Modify
quotas to allow users enough disk space to install applications, and
leave room for the temporary files created during software
installations. Enable
Group Policy Results, formerly known as Resultant Set Of Policies
(RSoP), on Windows XP Service Pack 2 clients by enabling the Windows
Firewall: Allow Remote Administration Exception Group Policy setting.
This enables you to remotely check which GPOs Windows has processed on
clients.
|
