Create the GPO
With the Windows Installer package in place for an application, you're ready to create the GPO that will deploy the application. Open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, right-click the domain or OU for which you want to apply the policy, and click Properties. Go to the Group Policy tab, then create a new GPO or select an existing GPO and click Edit.
The Software Settings\Software Installation policy branch, located under both the Computer Configuration and User Configuration branches, is the creation point for application deployment packages. Use the Computer Configuration branch to deploy to computers that process the GPO, and use the User Configuration branch to deploy to user accounts that process the GPO. However, understand that you can only assign applications through the Computer Configuration branch, not publish them. If you need to publish an application, create or modify the GPO in the User Configuration branch.
Before you create your first package policy, add any application categories under which you want to publish applications (these are the optional categories that will appear in users' Add or Remove Programs applet). To do so, right-click Software Installation under User Configuration and choose Properties. The General tab lets you set the default application package location, the default deployment type (publish or assign), and UI options. I discuss those settings in more detail shortly. For now, go to the Categories tab, click Add, and add the application categories.
To create a package policy, right-click the Software Installation branch under Computer Configuration or User Configuration and choose New, Package. In the Open dialog box, specify the path to the package file. In almost every case, you should use a UNC path to ensure that users will be able to access the share. Use an absolute path only if the users' local drive mapping to the share will always be the same as the server's local drive letter.
After you specify the package file path, Group Policy Editor (GPE) displays three options: Published, Assigned, and Advanced Published or Assigned. Choose one of the first two if you don't need to add transforms, configure upgrade packages, or set other advanced options when you create the policy. Choose Advanced Published or Assigned if you do need to set advanced options. You can change most of the options later, regardless of whether you choose one of the basic options or the Advanced option here. To do so, just double-click the package in the GPO to open its property sheet, which is the same one that GPE displays when you choose the Advanced option. However, if the package needs one or more transforms, choose the Advanced option and add them when you create the package policy—you can't add transforms after you've deployed a package.
The General tab now shows general information about the application and publisher. After you create the package, the only property you can change here is the package name as it will appear in GPE. Switch to the Deployment tab, which Figure 2 shows, to specify the deployment type and other deployment options. If you want the application to be installed automatically when the user attempts to open a document type that requires the application, select Auto-install this application by file extension activation. If you want to remove the application from the user's system when the GPO no longer applies to the user, such as when the user moves to a different department (and therefore falls under the scope of a different GPO), select Uninstall this application when it falls out of the scope of management. If you want to prevent the application from appearing in the Add or Remove Programs list, select Do not display this package in the Add/Remove Programs control panel. To display only basic installation information during application installation, select Basic; to display all setup information, select Maximum. Click Advanced to configure the application to ignore language during deployment or to remove an earlier version of the application not installed by Group Policy.
Use the Upgrades tab to specify packages in the current GPO or in another GPO that this package upgrades. You can make the upgrade optional or mandatory and specify whether the application should remove the existing version first or install itself on top of the existing version.
If you added application categories earlier, you can use the Categories tab to specify the categories in which the application will be listed in users' Add or Remove Programs applet. Choose an existing category and click Select to add it to the Selected Categories list for the application. You can add multiple categories for an application.
If you're creating as opposed to editing the package, you can use the Modifications tab to add transform files to the package. You can specify multiple transforms and control the order in which the transforms are applied. Finally, use the Security tab to configure permissions for the package policy. For example, you might have a subset of users that falls under the scope of the GPO but to which you don't want to make the application available. Simply remove the Read permission for these users to prevent the policy from applying to them.
Redirect User Folders
Although folder redirection isn't a necessary step, I consider it an important complement to automated OS installation and Group Policy–based application deployment to ensure a complete disaster-recovery scheme. For example, if you use RIS to deploy users' OSs, users can get a functioning computer simply by plugging a new system into the network, booting it, and following a few prompts. When users log on after the OS installation, their applications are either installed automatically (if assigned) or made available through the Add or Remove Programs applet (if published). But what about the users' documents?
If users store documents locally and a user's computer dies, the user must restore his or her documents from a local backup—if one exists. If user documents are stored on the network, you can restore them from a network backup or by using Windows 2003's Volume Shadow Copy Service (VSS). In all these cases, restoring the files will take some time and effort because the user or administrator must go hunting for the previous versions. However, if you've redirected users' folders to their home folder on a network share, neither you nor your user needs to do anything to retrieve the documents lost from the local system because the documents are still intact on the server. The user can simply log on from his or her new system, open My Documents, and find the documents right where they should be. If this feature sounds appealing and you decide to configure it, open the User Configuration\Windows Settings\Folder Redirection branch in the GPO. Right-click the My Documents folder under the branch, select Properties, then specify redirection settings for the folder in the dialog box that Figure 3 shows.
Note that the recovery scheme I've suggested doesn't address restoration of users' custom application settings. You can either employ roaming profiles or use application-centric methods and tools such as the Microsoft Office Resource Kit's Save My Settings Wizard to complete the recovery scheme and ensure that users' customized applications are intact after a recovery.
Costs and Limitations
Most of the tools and technologies you need to deploy applications with Group Policy are built into Windows 2003 and Win2K Server. Because deployment relies on Group Policy, however, only Win2K or later clients can take advantage of automated deployment. The only real capital investment—assuming you don't need to add servers to handle the distribution shares—is for a good packaging application, which won't break the bank. If you also integrate RIS into the picture, you'll likely need to spend at least some money on Preboot Execution Environment (PXE)–compliant adapters for existing systems and perhaps for server hardware.
The amount you spend on these items will likely be minimal when you compare the savings in administrative time that would otherwise be spent in setting up systems and handling disaster recovery for your users. The amount of work required up front to make policy-based application deployment happen is relatively small, and I guarantee you'll make up most of that time and expense the first time you need to deploy a new system or recover the CEO's computer after a crash.
End of Article
Prev. page
1
2
[3]
next page -->
