Jason Zandri's latest article in the Learn Active Directory Design and Administration in 15 Minutes a Week covers some of the Windows 2000 Server Software Management Tools for handling the deployment and management of software through Group Policy.
by Jason Zandri
Welcome to the tenth installment of Learn Active Directory Design and Administration in 15 Minutes a Week, a weekly series aimed
at current IT professionals preparing to write the new Windows Active Directory Design and Administration exams (70-219 and 70-217 respectively), as well as newcomers to the field who are trying to get a solid grasp on this new and emerging directory service from Microsoft. This
installment is going to cover some of the Windows 2000 Server Software Management Tools for handling the deployment
and management of software through Group Policy. This week
is going to focus on Software Installation Mechanics and
assigning and publishing software to users and computers.
Administrators can use Software Installation and Active
Directory Group Policy to centrally manage their networks
initial deployment of software, all of its upgrades,
patches, and quick fixes for the deployed software. You can
update a version of the software, replace it and even
totally remove it from systems using Software Installation
and Active Directory Group Policy.
Installation settings allow you to ASSIGN software to
users or to computers. When applications are assigned to
users they are advertised to the user the next time he or
she logs on to a workstation, regardless of which
workstation that user logs in to because the software is
assigned to their account. The assigned application is
installed on the system the first time the user activates
the application on the computer (e.g. selecting the ICON
from the Start Menu, desktop or Quick Launch Menu) or by
attempting to access a file associated with the application
to be installed by assignment (e.g. double clicking on a
spreadsheet would cause Excel to be installed due to
assignment if it wasnt present on the system).
ASSIGN an application to a computer, the application is
advertised to the local system, and the installation begins
when the computer is first powered up by default.
Installation settings allow you to PUBLISH
applications to users only. Computers cannot have
applications published to them. When applications are
published to users, the application shortcuts are not
available on the Start Menu, desktop or Quick Launch Menu by
default. The published application is available for users to
install using Add/Remove Programs in Control Panel
or by attempting to access a file associated
with the application (e.g. double clicking on a spreadsheet
would cause Excel to be installed if it wasnt present on
Software Installation Mechanics
Installation uses the Windows Installer, an operating system
service that installs, modifies, and removes system software
using information in the Windows Installer package. Windows
Installer packages are information databases that describe
the installed state of a given application.
It is the
Windows Installer that uses the information in those
packages to detect and self-repair applications when certain
program files are deleted or damaged.
and Software writers produce the Windows Installer packages
(.MSI files) to work in conjunction with their software.
Some applications, mostly older, but a few more recent ones
as well, are not shipped with Windows Installer packages, which can be an issue because you can only deploy software
using the Software Installation extension if:
- Native Windows Installer packages (.MSI files) are
developed as a part of the application.
- Repackaged applications (.MSI files) can be used in
the situation where you do not have a native Windows
- An existing setup (SETUP.EXE) program packaged as part
of .ZAP files installs the application by using the
original SETUP.EXE program.
of software installations (transforms) allow you to add or
subtract options and configurations for a software
installation. When modifications are made to customize the
installation of a Windows Installer package, they are saved
with the .MST file extension. Other files you may encounter
during Software Installation are:
- Patch (.MSP) files are used for bug fixes, service
packs, service releases, etc.
- Application assignment scripts (.AAS files) hold the
advertisement information about the application
a software installation, some of the key things you are
going to want to remember and consider are that you are
going to want to look over your networks software
requirements and create OUs based on software management
needs to assist you in figuring out how you want to deploy
your applications using Group Policy.
Run a series
of tests on all of the Windows Installer packages, transform
files and patch files to root out as many bugs in the
process and as many issues as possible before putting
together a pilot test.
testing is done, you can create a pilot deployment to test
how you want to assign or publish software to users or
computers and then assemble key people from across your rollout
area (the entire Enterprise if you are going globally
with it) so that they can provide feedback to you on your
design, deployment, etc.
possible, deploy multiple applications with a single GPO.
This allows the Administrators the ability to create and
manage a single GPO rather than multiple GPOs. The logon
process is faster because a single GPO deploying multiple
applications processes faster than multiple GPOs each
deploying a single application. This is executed best in
situations where users share the same core set of
applications; for example, Microsoft Office and an
practices dictate that you should publish or assign any
single application only once in the same GPO or a series of
GPOs that might apply to a single user or computer because
it will make it easier it to determine which GPO is the
mitigating instance of the software as it applies to the
user or computer.
licensing is handled separately from this deployment process,
and it is still up to the network Administration team to
assess the number of users who have the software installed
via Group Policy against the number of licenses you have
Software Distribution Points
Distribution Points are network locations where the software
is located so that when users or systems have software
published or assigned through group policy, they can access
it from these locations.
Distribution Points are created when you set up distribution
folders on a network file server and share them out
(\\<SERVERNAME>\<SHARENAME>). Once this is done, you can copy
all of the applicable software and software packages, any
modifications, and any other necessary files, to the SDP.
permission needed so that users and computers can access and
install the software is READ, and this is the maximum than
should be set for regular users.
settings for software installation pertain only to the
application installation process itself.
This is done
by opening the GPO and going to either the Computer or User
Configuration section, depending on where it is located.
From here you would go to the Software Installation node
under Software Settings and right-click the application in
the details pane (right hand side) where you want to specify
software installation permissions, and then click Properties
to get to the property page.
Security tab of the application's Properties dialog box,
click on whichever security group you need to in order to
permission needed so that users and computers can access and
install the software is READ/ALLOW, and this is the maximum
than should be set for authenticated users.
Software Installation and Maintenance
GPOs can be
configured from the General tab of the Software Installation
Properties dialog box, with specific settings that affect
the installation, maintenance and any subsequent removal of
Group Policy deployed applications.
To do this
the Administrator would open
the Group Policy snap-in and open the Software Settings in
Computer or User Configuration section. (This would depend
on whether it was a Computer or User deployment.)
would right-click the Software Installation node and select
Properties, which would bring you to the Software
Installation Properties dialog box, shown below.
General tab of the Software Installation Properties dialog
box, you would enter the path to the Software Distribution
Point for any necessary MSI files in the Default Package
Location box. If you don't know the full path, you can use
the Browse button.
below the Default Package Location field is the New Packages
section of the Software installation Properties. Here you
will need to select one of the following options:
- Display The Deploy Software Dialog Box to
specify that when you add a new package, the Deploy
Software dialog box will display, allowing you to assign,
publish, or configure package properties.
- Publish is used to specify that when a new
package is added it is to be published with standard
package properties. Packages can only be published to
users, not computers, and this is why under the Computer
Configuration node of the Group Policy snap-in the Publish
option is grayed out.
- Assign is used to specify that when you add a
new package it is to be assigned with standard package
properties. Packages can be assigned to both users and
- Advanced Published Or Assigned is used to
specify that when you add a new package, the Configure
Package Properties form should appear.
Installation User Interface Options section you will need to
select one of the following:
- Basic to provide only a basic display of the
- Maximum to provide all installation messages
and screens during the package installation.
"Uninstall The Applications When They Fall Out Of The Scope
Of Management" check box to specify that the software should
be removed when the GPO no longer applies to users or
Click OK to
close out the properties sheet.
Well, that wraps up this section
of Learn Active Directory Design and Administration in 15
Minutes a Week covering Windows 2000 Server Software
Management Tools for handling the deployment and management
of software through Group Policy. I hope
you found it informative and will return for the next
installment. Next week is going to
focus on Deploying Software and Software Maintenance.
If you have any questions, comments or
even constructive criticism, please feel free to drop me a
I want to write good, solid technical
articles that appeal to a large range of readers and skill
levels and I can only be sure of that through your feedback.
Until then, best of luck in your
studies and remember,
have yet to figure out what happened to Preparations A