Deploying Software via Group Policy

Hello, its been awhile since i last post in this blog post. Today I will walk you through on deploying a software through MSI packaged installer to your network using Group Policy from Microsoft AD Directory Services.

Servers and Computer Involved.

ELSAL-SRV1 – Domain Controller
ElSAL-SRV3 – File Server
ELSAL-WKS1 – Client Computer

Introduction:

In a small office or corporate environment it is important to deploy software that will assist users on how they will do their work. In this blog post we will simulate on installing Mozilla Firefox in a Domain Environment. There are 3 ways to install MSI packaged installers in Group Policy:

  1. Via computer, Assigned Software
  2. Via user, Assigned Software
  3. Via user, Published Software

In this blog post, I will walk you through deploying software via computer. There are some reasons why would you want to deploy a software via computer instead for a user. Some Software’s might have licensing issues that makes them more appropriate to be deployed on a computer rather than a user assigned or published software deployment.

The Difference between the different Software deployment:

Deployed to User, Assigned Software – Not installed until the default shortcut is opened in the Programs Folder in the Start Menu.

Deploy to User, Published Software – Not installed until initiated to be installed from the “Programs and Features > Install a program from the network” control panel of the client computer

Deploy to Computer, Assigned Software – Automatically Installed during computer boot. You cannot publish a software when you are deploying it to a Computer.

The Procedure:

First of all, we need to have a good OU structure and planning on how we would want to deploy our software in our environment. The OU structure and deployments we are going to follow will be one of my test environment. (See below)

image

Notice that “C – Install Mozilla Firefox” has a single security filtering entry which is “DL_ElSalvador_Computers_Install_MozillaFirefox” This security group contains another security group called “G_ElSalvador_Computers_Install_MozillaFirefox”.

The GPO entries are prefix by C or U, this means C it is a Computer Policy and U is a User policy defined on them. The Domain Security Groups starts with DL (Domain Local Group), G (Global Group), U (Universal Group). The way I deployed my security groups are following the concept from this website http://ss64.com/nt/syntax-groups.html

Combining a good Security Group Practice, GPO naming convention and GPO Deployment makes our Software Deployment more easier for junior administrators to add computers that needs this software just as we will discuss them later in this post.

Preparing the MSI Installer:

First, we need to make the MSI available to the network as a shared file. In this case, i have downloaded the Firefox MSI Installer from an internet source at  http://www.frontmotion.com/Firefox/download_firefox.htm put it in my File Server named ELSAL-SRV3 and put it on a folder named “Mozilla Firefox” in a shared folder named Installers. Now it looks like this.

image

Now, I am going to give everyone have read/write permission to the Installers Shared Folder so that computer or user may able to access the installer file.

image

Now, the installers folder is a shared folder in ELSAL-SRV3 server and can be accessed via “\\ELSAL-SRV3\Installers”

image

Creating and Defining the GPO Object:

Create a blank, name it “C – Install Mozilla Firefox” or name it as you desired and link the GPO to the “OU=Computers,OU=El Salvador,OU=Offices,DC=limdynasty,DC=com” OU or to your appropriate OU.

Edit the GPO Object and go to its properties.

image

Since this will be a computer policy, we will be disabling the User Configuration.

image

Close the properties window.

Now, Navigate to the  Computer Configuration > Policies > Software Settings > Software Installation.

image

Right Click Software Installation and Click New > Package.

image

A popup window should then appear asking you for the location of the MSI Package Installer. Now, if you remember what we did in the Preparing the MSI Installer section, we have made the installer available from “\\ELSAL-SRV3\Installers”, now type it in the open dialog window that popped up.

image

Then open Mozilla Firefox Folder then select the MSI installer for Firefox, or select the MSI installer for the software that you want to be deployed on your computer.

image

NOTE: It is important to know that the location of your MSI installer must be reachable/accessible by the computer account that you are going to deploy with your software with. In this case, we have already made that settings.

Then click advanced on the Deploy Software Popup window. Noticed that the Published radio button is

image

A properties window should then appear for the package. Go to the deployment tab.

image

In this case check the “Uninstall this application when it falls out of the scope of management”, this will make sure if the computer account gets relocated somewhere in the Domain that is not supposed to have Mozilla Firefox on them, Firefox is will automatically be removed without user intervention. Combining this settings with GPO Security Filtering will give us more flexibility on automating software installation via MSI.

Note that we have confured the Computer Configuration Node in the Group Policy, this means that even there is a user object in the “OU=Computers,OU=El Salvador,OU=Offices,DC=limdynasty,DC=com” OU, only computer accounts are affected.

Preparing Security Group:

The reason why I associated security groups in Group Policy is that I prefer to give access to security groups instead to direct user accounts. I follow the best practices provided in this article http://ss64.com/nt/syntax-groups.html

I have made the ELSAL-WKS1 computer account a member of the G_ElSalvador_Computers_Install_MozillaFirefox. According to the article (link above) it is recommended to only give permission access to Domain Local Security Group. Universal Group does not really make any sense here in our post as we only have one domain. The structure i have made for my domain is I created 3 Security Groups of type Domain Local, Global, and Universal, denoted by (DL_* for Domain Local, G_* – Global, U_* – Universal).

In my domain I have

Security Group Name Security Group Type
G_ElSalvador_Computers_Install_MozillaFirefox Global
U_ElSalvador_Computers_Install_MozillaFirefox Universal
DL_ElSalvador_Computers_Install_MozillaFirefox Domain Local

The Global Security Group is the one that has the list of the allowed computer accounts to be installed with the software that is deployed. Add the computer account to the Global Security Group.

image

The Global Security Group is also nested and a member of the Universal and Domain Local security Group.

image

Applying Security Filtering:

Now, all what we did in the article instructed above comes together in this part.

Open up your Group Policy Management Console and click the GPO that we have defined. Then click Scope.

image

By default, the security group that is populated on the Security Filtering is the Authenticated Users. Authenticated Users are domain objects that has been given Kerberos ticket from the Domain Controller, this includes computer accounts.

Unless you are trying to deploy this policy to all computer accounts in the
“OU=Computers,OU=El Salvador,OU=Offices,DC=limdynasty,DC=com” OU, the configuration is complete.

But in this article i have designed the GPO in tandem of Security Groups to have a granular permission.

Now, remove the authenticated users (if its not already) then click the Add button from the security filtering. A window will popup asking for the object to add in the security filtering. Type in the Domain Local security group then click ok.

image

Because the G_ElSalvador_Computers_Install_MozillaFirefox security group is a member of the DL_ElSalvador_Computers_Install_MozillaFirefox, members of the G_ElSalvador_Computers_Install_MozillaFirefox are also inheriting the permissions we set from DL_ElSalvador_Computers_Install_MozillaFirefox.

Now the configuration of the GPO is complete.

Conclusion:

The advantage of this kind of settings is for junior administrators that do not have administrative privileges to modify GPO are able to deploy the software to the identified computers just by making the targeted computer a member of the G_ElSalvador_Computers_Install_MozillaFirefox security group and relocate the computer account to the OU where the GPO is deployed.

If the computer account is not a member of the required security group or a member of the security group but is not located in the correct OU, the computer account will fail to qualify to apply the GPO and the GPO will not be applied.

If the software was previously installed via GPO and for somehow you decided to either remove the required security group membership or move the computer account to another OU where the GPO is not applied. The software will be uninstalled on the computer the next time it reboots. This is because we have configured the software to “Uninstall this application when it falls out of the scope of management”. (See Creating and Defining the GPO Object Section, above)

Hope it helps,

For God and Country!

2 thoughts on “Deploying Software via Group Policy

  1. Hello,

    I use samba4 as ADDC. I also have a fileserver that is a member of ADDC.

    I am trying to use a shared folder on my fileserver for software installation via “deploy” on computer scope, but at first it is not working. I gave permission to share to everyone and in the security tab I left Everyone as Read & Execute, List folders … and Read, but it still does not install.

    I also tried to install via user scope, but also did not install. Can you help me?

    • Hi Elias,

      I am not familiar with samba, it looks like your security permission is good but can you also try to change the share permission to read & write? if that still doesn’t work can you look into the event logs of a computer that is not installing the software via GPO? maybe, we can get more information from there on why it is not installing.

      By the way, what software are you trying to install via GPO?
      Can you also issue “gpresult” on the computer you want to be affected by the GPO and make sure that it is inheriting the GPO you wanted?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s