Digging Deeper into Group Policy
Now that you've been formally introduced, here's how to use group policies to install software and set security.
- By Harry Brelsford
- April 01, 2001
There's nothing more enjoyable than having a reader write an e-mail
to me and proffer feedback about a topic relating to Windows 2000. Such
was the case just the other day when I received e-mail from Robert Koppanyi
asking for more information on Group Policy. Well Robert, this column
(and next month as well on Group Policy) is for you!
So this month I delve deeper into the Group Policy depths by exploring
two of it features: the ability to install software and the set security.
Installing Software
The software installation capability is one of the cooler features of
Win2K's Group Policy even though you might not use it initially (if my
experience is any indicator). Here's what I mean. By the time you even
find Group Policy in Win2K Server, it's likely your client workstations
are up and running with the desktop applications already installed and
configured. If this is so, what's the value of the software installation
capabilities in Group Policy? That answer is simple - updates! Your fleet
of workstations may need a new application installed in the future. But
more importantly, the workstations may require services packs and hot
fixes applied to both the operating system and applications on a regular
basis. That's where the software installation side of Group Policy kicks
in. By forcing a particular service pack to be installed on your workstations,
you simplify the management of your network by having everything on the
same page or release level.
So let's jump into a step-by-step Group Policy-based software installation.
I'll install a simple application that was provided to me by the certification
team at Microsoft. To install an application using Group Policy:
- Logon to the Win2K Server machine as the Administrator.
- Click Start, Programs, Administrative Tools, Active Directory Users
and Computers.
- Right-click on a organizational unit (OU) and select Properties from
the secondary menu.
Note: You will recall last month in the March
2001 installment of Win2K Foundations that you created a OU. And you might
also recall the discussion the Group Policy can be applied to an Active
Directory Site, Domain or Organizational Unit. In this example, I apply
Group Policy to an OU, a common approach.
- Select the Group Policy tab.
- Select a Group Policy Object Link and click Edit. In my case, I have
an existing Group Policy Object Link titled "One". Note: If necessary,
click New to create a new Group Policy Object Link. You might recall
that the step-by-step for creating a Group Policy Object Link was provided
in last month's Windows 2000 Foundations column.
- The Group Policy MMC appears. In this step-by-step example, I'll apply
the Group Policy software setting to users, so click User Configuration,
Software Settings and Software installation. Your screen should look
like Figure 1.
|
Figure 1. Selecting the Software installation
option in the Group Policy MMC. |
- Right-click on the Software installation object and select New Package.
The Open dialog box appears where you will need to select the Windows
Installer package you want install. Your screen should look like Figure
2.
Note: The software installation capability
in Group Policy accepts two types of installation files for installation,
Windows Installer (.MSI) and ZAW Down-level application packages (.ZAP).
The .MSI file can be created via Windows-based scripting and some select
Resource Kits such as the Office 2000 Resource Kit. These install packages
have the effect of facilitating silent installations so the applications
(including my beloved service packs and hot fixes) will install without
user intervention.
|
Figure 2. Select an .MSI file to install via
the installer process. |
- After selecting your installer package in the Open dialog box, click
Open. If you receive the error message shown in Figure 3, you will need
to click No and return to the Open dialog box and provide a UNC path
to a shared folder on the server. If necessary, you need to share said
folder that holds the installer file. Note that you can automatically
map to the .MSI file in a UNC fashion by navigating to the .MSI file
via My Network Places in the left column of the Open Dialog box.
|
Figure 3. Error message if you attempt to implement
an installer package not using a UNC path. |
- The Deploy Software dialog box appears (see Figure 4). There are three
options to select from: Published, Assigned, or Advanced published and
assigned. Select Assigned and click OK.
Note: Publish here really means that the application
isn't automatically installed and the user need to install the application
via Add/Remove Programs in Control Panel. Assigning an application results
in the following: At logon, assuming the prerequisite conditions have
been met (that the user is the correct user to receive the installation
package), the application is advertised and installed when it is safe
to do so (after critical operating system services have started).
|
Figure 4. The Deploy Software dialog box. The
Advanced published or assigned option is really cool and, while beyond
the scope of this column, it's worth playing with on your test Win2K
Server. |
The application to be installed appears as shown in Figure 5 in the Group
Policy MMC.
|
Figure 5. Congratulations! The Windows installer
package appears in the Group Policy MMC when Software installation
is selected. |
When you logon to the Win2K Server network, assuming you're a user or
a computer in the OU that the Group Policy Object (GPO) applies to, you'll
be asked to install the application. At that time, the application installs
silently. You might also be interested in observing the properties of
the installer package properties. Simply double click the installer package
you created in the steps above. The General tab provides basic identification
information. The Deployment tab allows you to select the settings, as
shown in Figure 6. The Upgrades tab (see Figure 7) allows you to select
what existing application installation should be upgraded.
|
Figure 6. The Deployment tab allows
you to set deployment options such as Installation user interface
(Basic will show end user minimal installation progress details; Maximum
displays detailed installation progress). |
|
Figure 7. The Upgrades tab is used to manage
revisions for your installed applications. |
The Categories screen, while not as interesting visually as some of the
others, allows you to configure how the application to be installed appears
in the Add/Remove Programs in Control Panel. The Modification tab allows
you to customize the installation package (within reason). The Security
tab allows you to set the Full Control, Read and Write permissions for
the installer package.
Tip: If you head back to my February column,
you'll see some problems with Win2K Terminal Services and the assign and
publish software installation capabilities of Group Policy. Applications
accessed via Terminal Services are installed on a per-computer basis,
meaning the programs are available to any user with access to the Terminal
Services server. Terminal Services can not accept published programs,
which are published on a per-user basis. Furthermore, assigned programs
must be assigned on a per-computer basis.
Security
While security isn't as exciting a subject to me as it is to fellow columnist
Roberta Bragg (see her "Security Advisor" column each month in the print
issue and online), Group Policy is used to implement security settings.
To see the specific settings you can set, complete the following keystrokes:
- Logon to the Win2K Server machine as the Administrator.
- Click Start, Programs, Administrative Tools, Active Directory Users
and Computers.
- Right-click on a organizational unit (OU) and select Properties from
the secondary menu.
- Select the Group Policy tab.
- Select a Group Policy Object Link and click Edit. The Group Policy
MMC appears.
- Expand either the Computer Configuration object or the User Configuration
object.
- Expand the Windows Settings folder.
- Expand the Security Settings object. Your screen should look like
Figure 8.
|
Figure 8. You can observe the numerous security
settings that can be set by Group Policy. |
Roberta Bragg gives extensive coverage on security in
her December column, "The Gift of Group Policy."
Next month I'll explore Windows Settings and Administrative Templates
in Group Policy in my quest to keep readers like Robert Koppanyi and others
happy, healthy and hopefully wealthy!