Software Deployment

What clients and servers are in your environment?

Desktop/Server OS is 2000

If you have 2000 server setup as a domain controller you should be able to deploy the applications via Group Policy. You can restrict who gets the application by grould easily.

Deploying software via Windows 2000 Active Directory and Group Policy and controlling it through group membership is definitely an option. It is a very cost effective approach for small and medium size organizations.

craig --<>.

Just a note, he already said he's not interested in the install by icon or add/remove prog so GP is kind of thrown out.

Thanks for your responses but not too sure if using AD will work in my organisation because if we install via user configuration then user has to at the very least select an icon or goto add/remove progs if we deploy via computer configurations we do not know which computer belongs to which user so cannot deploy apps accurately via that method. If the apps goes to all users ie email client then deploying via computer configuration is ok.

We have users who might only come into the office a couple of times a year this is my opportunity to download/upgrade as many apps as poss. They do however dial in via VPN but not confident about upgrading apps via a slow dialup connection.

What about SMS/Altris/LAnDesk would these products work for a 500 Laptop/Desktop NW. Could I justify the expenditure where my scripts cost zero + plus my time ??

Some of my colleagues would jump at the chance of going for SMS but is it flexible like my scripts can it deploy apps based on location. I don't write an MSI for each site - I have one MSI and call the relevant features within the logon script.

Thanks again

If you want to deploy to notebooks via dial-in connections you need a bandwidth-detection that transfers only small packages and skips large packages (they will be installed the next time the user connects to the LAN or receives a CD).

Cost-justification: You could start with a software-distribution-only solution like Empirum Configurator (approx. $25-30 per PC) if you don´t need OS-installation. The Configurator allows bandwidth-check and background-transfer for notebook-users (Offline-Depot). No need to use policies or login-scripts (but optional).

Regards,
Hendrik

Hey Craig,

Why did you delete your thread listing the steps to using a GPO to push software?

Also, I followed your steps exactly to try and push out Office2003 and I can not get it to work. Here is what I have done.

I created a new OU for testing purposes. I have 2 machines in the OU, one is 2k and one is XP. Both are fresh images. I created a Global Security Group like your directions said. I created the GPO to push Office, pointing it to my Admin Install Point on a share available to everyone, and removed authenticated users and added the members of the Global Security Group. I added the 2 machines in my test OU to the Global Security Group as well.

I followed your directions to the T, and rebooted and can not get any software to push. I have tried this with Acrobat as well as Office2003.

Can someone please help me push software via AD and GPO. There must be something small I'm missing but everything looks right to me, but no software is pushing at all.

CB

I have solved my problem and here was the issue. The source for my Office2003 Administrative Installation Point was a hidden share (\\server\software$\office2003)

After checking the event viewer of the machine that was not receiving the software, one error entry said something like "path to installation source not available. Install failed"

I created a new share on the server that is not hidden, and deployed acrobat from it fine. I think that's the issue, the hidden share causes problems, even though everyone has access to it.

A-Baum,

I apologize for removing my post; I realized that I had not read Gabby's original post very carefully, and I missed the part where Gabby indicated he/she is not interested in pushing apps out to workstations. I lost track of to whom I was replying.

There is some flexibility in the way you can configure AD/Group Policy to push apps. If you would like me to re-post the method I use most, I would be happy to do so. I cannot figure out how to get my post back from the recycle bin.

Also, you can use the granular rights of Windows 2000/2003 to restrict users from copying your install points and making themselves their own copy of Office, etc. You can also do it by giving a workstation (or the Global Group the workstation is in) read only rights to the directory, instead of a user. Therefore, the hidden share isn't needed.

craig --<>.

Craig, first of all this isn't my thread but the info you posted worked for me. If you could repost it that would help.

I do in fact want to distribute MSI packages to desktops using GPOs, unlike the original poster. Right now I have everything setup except I am having trouble giving machine accounts permissions to source files. The event viewer keeps telling me the source files are not available. When using GPOs to distribute software, it uses the machine account to do so. I don't know where to set the permissions. When I look at everything, it looks fine but I am just running into this one snag. Any help is greatly appreciated, as is your help thus far. Thanks,

Charlie

A-Baum,

Again, my apologies for losing track of who is who in the thread.

I reviewed my steps, and here they are with a little more detail:

1. Open Active Directory
2. Create a new Global Security Group – let’s call it WinZip 8.1
3. In AD, right click on the “Computers” Organizational Unit, or whatever OU your have your computers under (I usually create one called “Managed Computers”, but it’s a matter of preference)
4. Choose “Properties” from the menu
5. Choose the “Group Policy” tab
6. Create a new Group Policy, and give it a meaningful name
7. Highlight the new GP, and select “Edit” button
8. In the “Group Policy Object Editor”, expand “Computer Configuration”, then expand “Software Settings”
9. Right click on “Software installation”, then choose “new” from the menu
10. Proceed with defining the UNC path to your .msi package (Note: if you do not have DFS setup, now is an excellent time to stop and do so. It will make your installation point portable/moveable on your network).
11. On the “deploy software” dialogue box, choose “Advanced” as the method
12. In the Properties dialogue box for the application, choose the security tab
13. In security, remove “Authenticated Users” (otherwise, the app will install for everyone and everywhere), and add the WinZip 8.1 Global Security Group you created in step 2. Give it the default Read Only rights
14. Add the target computer to the WinZip Global Security group.

Allow Group Policy enough time to refresh, or force a refresh. If the target machine is XP, use “gpupdate” from the command line. If it is Win 2000, use “secedit /refreshpolicy machine_policy

If XP Fastlogon is enabled, it may take two reboots for the app to come down.

Happy to help. Let me know.

craig --<>.

Thanks for the post Craig.

I have one major problem though, I can't get the machine account to have access to my admin share. I have added it to a security group, and have given the security group read access to the share, but event viewer gives me an error that the installation source is not available.

The software install policy begins as soon as the machine boots up correct? Not when someone logs in? So you need to give the machine account access to the share, which I believe would be done using the security group, but I still get the error. When I log into the machine as a local admin and try to access the share, I get prompted for a password, which is the root of my problem with the GPO. In a 2k AD, giving EVERYONE access to a share is the same as authenticated users, there is no EVERYONE like there was in an NT domain. If you can't give machine account access to a share in a 2kAD, how does a GPO work? What am I missing here? Thanks a lot for your help,

Charlie

It definitely sounds like some sort of permissions issue. To troubleshoot this, I would create a new, non-hidden "test" share, leaving the default "full/everyone" share permissions. Copy an app in there, but don't set any NTFS permissions that folder to start. Define a new software package in AD using the that test share. Restrict the rights to that software package/Group Policy Object as I outlined previously. Also make sure that you are using a UNC path to the .msi, and not a drive letter.

I saw a similar problem once before. It may not apply in this case, but it was caused by someone over-tightening security on the installation point share; he had removed the "full-everyone" share permissions, instead of leaving it and letting the NTFS permissions on the child objects control security. When a machine would start up and try to install the app, the screen would flicker, the floppy would chatter, and the deploy would just suddenly quit. The event viewer would indicate that access to the files was denied.

If you can get it to work, you can then start tightening the security on the share and retesting. It definitely is possible to give a machine account - rather than a user account - access to a share. It is something I use on a regular basis.

craig --<>.

Ok well I have narrowed my problem down.

I gave the computer read access to the folder where my share is located. The software install worked fine.

The thing that isn't working is that security group. When I add the machine to the security group and then give the security group read access to the share, it fails. But it works when I simply give the machine itself read access.

Why is my security group failing?

Hmmmmmm. I would recreate the Global Group, making sure that it is setup as a Security Group (which should be the default) and not a Distribution Group. Re-add the computer's account to the Group. Then go back into AD and redefine (delete/re-add)that group as having permissions to the Group Policy Object for the software. Then go in to the NTFS perms on the folder that holds the .msi you wish to deploy, and redefine the Global Group's rights. To be extra sure, make sure all child objects in the folder re-inherit those rights from the parent.

craig --<>.

Well I got it. I don't know how. I blew away my security group, blew away the GPO, and removed the group's rights from the share source and everywhere else. I waited 20 minutes for everything to replicate through our 8 DCs.

I redid everything and I successfully installed Acrobat. Event viewer shows no red. A blessing. Thanks for your help Craig, I really appreciate it.

Happy to help. Don't let this shake your confidence in AD/GP deployment. It's usually not this much of a struggle.

craig --<>.

**I work for New Boundary Technologies**

Gabby...Prism Deploy may provide you with the functionality your looking for. Prism Deploy allows you to easily create "Configuration Groups". Configuration Groups are dynamic groupings of computers based on hardware, software, and network criteria that you specify. As computers meet the defined criteria, they will receive any packages you have previously distributed, or any new ones you send out. The packages (pwc. exe or msi) can be installed silently if you prefer. No end-user intervention is required.

For more info you can download a free evaluation copy at http://www.newboundary.com/products/prismdeploy/prismdeploy_info.htm

I hope this helps your investigation process. My post is not intended to be a "sales" type post. Based on your post I thought you might like to be aware of one alternative.

Don't know if this will help, but I deploy an app to a specific group using AD login scripts and the IfMember.exe MS Resource Kit Tool, for example:

[BEGIN]
%windir%\ifmember.exe "Group"
if ERRORLEVEL 1 goto installapp
goto noinstallapp

:installapp
msiexec /qb!- /i"\\path\software.msi" REBOOT="ReallySuppress"
:noinstallapp

[END]

IfMember will need to be placed on the local workstations ahead of time (or you can call it right from the domain controller if you've got a decent network - its a tiny app), and of course, users will need appropriate rights to install many apps.

The MS download site for IfMember is here: http://www.microsoft.com/downloads/details.aspx?FamilyID=07c2f6d7-815e-4fa0-9043-4e4635ccd417&DisplayLang=en

One more note of caution - be sure that the members of the group you want to get this app don't log into any machines you don't want the app installed on (Terminal Server, etc), because a user-level login script will execute wherever they log in.

Good Luck,
Dave

OH! I almost forgot the most important part!

To keep msiexec from trying to install the app every time, you need to find a file belonging to the app that will ONLY exist if the app is installed (IE WINWORD.EXE)

Then, change the msiexec command to something like:

IF NOT EXIST "%programfiles%\Microsoft Office\Office\WinWord.exe" msiexec /qb!- /i"\\path\software.msi" REBOOT="ReallySuppress"

Note: I used MSOffice/Word for this example, but I haven't actually tested it against this exact application. In fact, the app I install is the Access 2000 Runtime, and the file I look for is a cached file in %WINDIR%\Installer\{00180409-78E1-11D2-B60F-006097C998E7}\accicons.exe