✔
Activity Frequency: Ad hocGroup Policy can be used for a wide variety of management activities, one of which is the remote delivery of software to either users or machines. It is preferable to target machines when delivering software, because users can move from system to system and thus receive an installation several times.
Software can be assigned or published through GPOs. Assigned software is automatically installed on targeted machines. Published software will appear in the Add/ Remove Programs item of the Control Panel. Users can then choose to install it or not. Published software should only include products that are deemed optional in your network. All other software should be assigned. In addition, all software must be packaged in Windows Installer format. This can be done with a variety of tools, the best of which are Wise for Windows Installer (www.wise.com) or Package Studio (also from Wise Solutions Inc.), or Installshield Admin Studio
(www.installshield.com). This is one area where you don’t want to try to work with free tools because they are quite cumbersome.
To assign a software package:
1.Begin by placing the Windows Installer setup file (msi extension) in a shared folder.
2.Launch theGroup Policy Management Console portion of the Global MMC.
3.Navigate to theGroup Policy Objectscontainer (Computer Management | Group Policy Management | Forest:forestname | Domains | domainname | Group Policy Objects).
4.Locate the GPO to edit or create a new GPO to edit (right-click in the right pane and selectNew, name
it, and clickOK). Since software is assigned to computers, right-click on the GPO and selectUser Settings Disabledfrom theGPO Statusmenu item. 5.Right-click on the GPO to edit and selectEdit. This
launches the GPO Editor.
6.Navigate toSoftware Installation(Computer Configuration | Software Settings) and right-click in the right pane to selectNew | Packagefrom the context menu.
7.Navigate to the shared folder containing your package and select it. ClickOpen.
8.SelectAssignedand clickOKfrom theDeployment dialog box.
You can right-click on the newly created package to view itsPropertiesand modify additional settings. For example, you may want to add a transformation file to the package (mst extension) to customize its behavior. You can also make sure it uninstalls automatically when it is no longer valid.
TIP
You can also filter software installations with either security group. This lets you assign software installations through a single GPO while targeting different systems. To target a specific group with a software installation:1.Locate the package you want to target (GPO Editor | Computer Configuration | Software Settings | Software Installations).
2.Right-click on the package and selectProperties. 3.Move to theSecuritytab.
4. Remove Authenticated Usersand add the appropriate group (this can be a global group containing only computer accounts) withReadrights.
5.ClickOKto close thePropertiesdialog box.
4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
Your installation will only be installed on the targeted group, because other systems will not be able to read it in the directory.
SCRIPT CENTER
The Microsoft TechNet Script Center includes three sample scripts that help you manage software installations. The first two install or remove software and the third lets you upgrade a software installation. These scripts can be found at http:// www.microsoft.com/technet/treeview/default.asp?url=/ technet/scriptcenter/compmgmt/default.asp?frame=true.DC-16: GPO Management
✔
Activity Frequency: Ad hocGroup Policy is one of the most powerful tools in Windows Server 2003. There are more than 900 GPO settings that can be applied in a Windows Server forest. These settings control everything from the appearance of a desktop to Terminal Service settings for all users. This is why you will be working with GPOs on a regular basis.
TIP
Be careful of how many GPOs you create. Avoid using single-purpose GPOs and use GPO filters to refine their application.1.Begin by launching theGroup Policy Management Consoleportion of the Global MMC.
2.Navigate to theGroup Policy Objectscontainer (Computer Management | Group Policy
Management | Forest:forestname | Domains | domainname | Group Policy Objects).
3.Locate the GPO to edit and right-click on it to select Editfrom the context menu.
4.Perform the appropriate modification in the GPO Editor.
GPOs can be rapidly linked to any given container with the GPMC. To do so, drag and drop the GPO to the appropriate container.
GPOs can also be filtered. Two types of filters are available: security and Windows Management Instrumentation (WMI) filters. Security filters are simply access rights granted or denied to specific groups. WMI filters target specific results from a WMI query. For example, if all your portables are from Toshiba, you can use a WMI filter to target all Toshiba machines in your domain.
To apply filters to GPOs:
1.Begin by launching theGroup Policy Management Consoleportion of the Global MMC.
2.Navigate to theGroup Policy Objectscontainer (Computer Management | Group Policy
Management | Forest:forestname | Domains | domainname | Group Policy Objects).
3.Click the GPO to filter. In the right pane, add or remove security groups to filter the GPO with security.
4.To filter the GPO with a WMI query, click the drop-down list and select the appropriate filter. AnswerYeswhen queried by theWMI Filterdialog box. WMI filters must be created before you can apply them.
WMI filters are created by right-clicking onWMI Filters and selectingNewfrom the context menu. WMI filters are comparable to SQL queries, though they use a different language: Windows Query Language (WQL). An example of a filter for locating Toshiba laptops is:
Root\CimV2; Select * from Win32_ComputerSystem where manufacturer = "Toshiba" and Model = "Satellite Pro 4200" OR Model = "Satellite Pro 4100"
WMI filters can be created in plaintext files and imported directly into the GPMC.
Finally, three GPO commands are really useful when working with Group Policy.
4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
To update Group Policy on an object:
gpupdate
By default, this will update both the user and computer policies on the target system, but only changed settings. Use the/forceswitch to reapply all policy settings. Use
/?for more information.
To identify the resulting set of policies on an object:
gpresult /S computername /USER targetusername /Z
wherecomputername is the name of the computer to verify results on andtargetusername is the name of the user whose policies you want to verify. The/Zswitch enables super verbose mode, giving you highly detailed information. You might want to pipe this command into a filename to capture all the results.
To reset either the Default Domain or the Default Domain Controller GPO to its original setting:
dcgpofix /ignoreschema
By default, this command refreshes both default policies. The/ignoreschemaswitch is most certainly required if you have added any schema modifications or any schema-modifying software to your network. If the schema is no longer in its default state and the switch is not used, the command will not work.