Hello, its been awhile since i last post in this blog post. Today I will walk you through on deploying a software through MSI packaged installer to your network using Group Policy from Microsoft AD Directory Services.
Servers and Computer Involved.
ELSAL-SRV1 – Domain Controller
ElSAL-SRV3 – File Server
ELSAL-WKS1 – Client Computer
In a small office or corporate environment it is important to deploy software that will assist users on how they will do their work. In this blog post we will simulate on installing Mozilla Firefox in a Domain Environment. There are 3 ways to install MSI packaged installers in Group Policy:
Via computer, Assigned Software
Via user, Assigned Software
Via user, Published Software
In this blog post, I will walk you through deploying software via computer. There are some reasons why would you want to deploy a software via computer instead for a user. Some Software’s might have licensing issues that makes them more appropriate to be deployed on a computer rather than a user assigned or published software deployment.
The Difference between the different Software deployment:
Deployed to User, Assigned Software – Not installed until the default shortcut is opened in the Programs Folder in the Start Menu.
Deploy to User, Published Software – Not installed until initiated to be installed from the “Programs and Features > Install a program from the network” control panel of the client computer
Deploy to Computer, Assigned Software – Automatically Installed during computer boot. You cannot publish a software when you are deploying it to a Computer.
First of all, we need to have a good OU structure and planning on how we would want to deploy our software in our environment. The OU structure and deployments we are going to follow will be one of my test environment. (See below)
Notice that “C – Install Mozilla Firefox” has a single security filtering entry which is “DL_ElSalvador_Computers_Install_MozillaFirefox” This security group contains another security group called “G_ElSalvador_Computers_Install_MozillaFirefox”.
The GPO entries are prefix by C or U, this means C it is a Computer Policy and U is a User policy defined on them. The Domain Security Groups starts with DL (Domain Local Group), G (Global Group), U (Universal Group). The way I deployed my security groups are following the concept from this website http://ss64.com/nt/syntax-groups.html
Combining a good Security Group Practice, GPO naming convention and GPO Deployment makes our Software Deployment more easier for junior administrators to add computers that needs this software just as we will discuss them later in this post.
Preparing the MSI Installer:
First, we need to make the MSI available to the network as a shared file. In this case, i have downloaded the Firefox MSI Installer from an internet source at http://www.frontmotion.com/Firefox/download_firefox.htm put it in my File Server named ELSAL-SRV3 and put it on a folder named “Mozilla Firefox” in a shared folder named Installers. Now it looks like this.
Now, I am going to give everyone have read/write permission to the Installers Shared Folder so that computer or user may able to access the installer file.
Now, the installers folder is a shared folder in ELSAL-SRV3 server and can be accessed via “\\ELSAL-SRV3\Installers”
Creating and Defining the GPO Object:
Create a blank, name it “C – Install Mozilla Firefox” or name it as you desired and link the GPO to the “OU=Computers,OU=El Salvador,OU=Offices,DC=limdynasty,DC=com” OU or to your appropriate OU.
Edit the GPO Object and go to its properties.
Since this will be a computer policy, we will be disabling the User Configuration.
Close the properties window.
Now, Navigate to the Computer Configuration > Policies > Software Settings > Software Installation.
Right Click Software Installation and Click New > Package.
A popup window should then appear asking you for the location of the MSI Package Installer. Now, if you remember what we did in the Preparing the MSI Installer section, we have made the installer available from “\\ELSAL-SRV3\Installers”, now type it in the open dialog window that popped up.
Then open Mozilla Firefox Folder then select the MSI installer for Firefox, or select the MSI installer for the software that you want to be deployed on your computer.
NOTE: It is important to know that the location of your MSI installer must be reachable/accessible by the computer account that you are going to deploy with your software with. In this case, we have already made that settings.
Then click advanced on the Deploy Software Popup window. Noticed that the Published radio button is
A properties window should then appear for the package. Go to the deployment tab.
In this case check the “Uninstall this application when it falls out of the scope of management”, this will make sure if the computer account gets relocated somewhere in the Domain that is not supposed to have Mozilla Firefox on them, Firefox is will automatically be removed without user intervention. Combining this settings with GPO Security Filtering will give us more flexibility on automating software installation via MSI.
Note that we have confured the Computer Configuration Node in the Group Policy, this means that even there is a user object in the “OU=Computers,OU=El Salvador,OU=Offices,DC=limdynasty,DC=com” OU, only computer accounts are affected.
Preparing Security Group:
The reason why I associated security groups in Group Policy is that I prefer to give access to security groups instead to direct user accounts. I follow the best practices provided in this article http://ss64.com/nt/syntax-groups.html
I have made the ELSAL-WKS1 computer account a member of the G_ElSalvador_Computers_Install_MozillaFirefox. According to the article (link above) it is recommended to only give permission access to Domain Local Security Group. Universal Group does not really make any sense here in our post as we only have one domain. The structure i have made for my domain is I created 3 Security Groups of type Domain Local, Global, and Universal, denoted by (DL_* for Domain Local, G_* – Global, U_* – Universal).
In my domain I have
|Security Group Name||Security Group Type|
The Global Security Group is the one that has the list of the allowed computer accounts to be installed with the software that is deployed. Add the computer account to the Global Security Group.
The Global Security Group is also nested and a member of the Universal and Domain Local security Group.
Applying Security Filtering:
Now, all what we did in the article instructed above comes together in this part.
Open up your Group Policy Management Console and click the GPO that we have defined. Then click Scope.
By default, the security group that is populated on the Security Filtering is the Authenticated Users. Authenticated Users are domain objects that has been given Kerberos ticket from the Domain Controller, this includes computer accounts.
Unless you are trying to deploy this policy to all computer accounts in the
“OU=Computers,OU=El Salvador,OU=Offices,DC=limdynasty,DC=com” OU, the configuration is complete.
But in this article i have designed the GPO in tandem of Security Groups to have a granular permission.
Now, remove the authenticated users (if its not already) then click the Add button from the security filtering. A window will popup asking for the object to add in the security filtering. Type in the Domain Local security group then click ok.
Because the G_ElSalvador_Computers_Install_MozillaFirefox security group is a member of the DL_ElSalvador_Computers_Install_MozillaFirefox, members of the G_ElSalvador_Computers_Install_MozillaFirefox are also inheriting the permissions we set from DL_ElSalvador_Computers_Install_MozillaFirefox.
Now the configuration of the GPO is complete.
The advantage of this kind of settings is for junior administrators that do not have administrative privileges to modify GPO are able to deploy the software to the identified computers just by making the targeted computer a member of the G_ElSalvador_Computers_Install_MozillaFirefox security group and relocate the computer account to the OU where the GPO is deployed.
If the computer account is not a member of the required security group or a member of the security group but is not located in the correct OU, the computer account will fail to qualify to apply the GPO and the GPO will not be applied.
If the software was previously installed via GPO and for somehow you decided to either remove the required security group membership or move the computer account to another OU where the GPO is not applied. The software will be uninstalled on the computer the next time it reboots. This is because we have configured the software to “Uninstall this application when it falls out of the scope of management”. (See Creating and Defining the GPO Object Section, above)
Hope it helps,
For God and Country!