IT tutorials
 
Technology
 

Active Directory 2008 : Managing Enterprise Security and Configuration with Group Policy Settings -- Managing Software with Group Policy (part 2)

8/21/2013 9:15:35 AM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

4. Maintaining Applications Deployed with Group Policy

After a computer has installed an application by using the Windows Installer package specified by a GPO, the computer will not attempt to reinstall the application at each Group Policy refresh. There might be scenarios in which you want to force systems to reinstall the application. For example, small changes might have been made to the original Windows Installer package.

To redeploy an application deployed with Group Policy, right-click the package in the GPO, point to All Tasks, and then click Redeploy Application.

You can also upgrade an application that has been deployed with GPSI:

  1. Create a package for the new version of the application in the Software Installation node of the GPO.

    The package can be in the same GPO as the package for the previous version or in any different GPO.

  2. Right-click the package and click Properties.

  3. On the Upgrades tab, click Add.

    The Add Upgrade Package dialog box appears, shown in Figure 2.

    The Add Upgrade Package dialog box

    Figure 2. The Add Upgrade Package dialog box

  4. Select whether the package for the previous version of the application is in the current GPO or in another GPO. If the previous package is in another GPO, click Browse to select that GPO.

  5. Select the package from the Package To Upgrade list.

  6. Based on your knowledge of the application’s upgrade behavior, choose one of the following upgrade options at the bottom of the dialog box shown at the bottom of Figure 2:

    • Uninstall The Existing Package, Then Install The Upgrade Package

    • Package Can Upgrade Over The Existing Package

  7. Click OK.

You can also remove an application that was deployed with GPSI:

  1. Right-click the package, point to All Tasks, and then click Remove.

  2. In the Remove Software dialog box, choose one of the following two options:

    • Immediately Uninstall The Software From Users And Computers This option, known as forced removal, causes computers to remove the application. The software installation extension removes an application when the computer restarts if the application was deployed with a package in the Computer Configuration portion of the GPO. If the package is in the User Configuration portion, the application will be uninstalled the next time the user logs on.

    • Allows Users To Continue To Use The Software, But Prevents New Installations This setting, known as optional removal, causes the software installation extension to avoid adding the package to systems that do not yet have the package installed. Computers that had previously installed the application do not forcibly uninstall the application, so users can continue using it.

If you use one of these two options to remove software using GPSI, it is important that you allow the settings in the GPO to propagate to all computers within the scope of the GPO before you delete, disable, or unlink the GPO. Clients need to receive this setting that specifies forced or optional removal. If the GPO is deleted or no longer applied before all clients have received this setting, the software is not removed according to your instructions. This is particularly important in environments with mobile users on laptop computers that might not connect to the network on a regular basis.

If, when creating the software package, you chose the Uninstall This Application When It Falls Out Of The Scope Of Management option, you can simply delete, disable, or unlink the GPO and the application will be forcibly removed by all clients that have installed the package with that setting.

5. GPSI and Slow Links

When a client performs a Group Policy refresh, it tests the performance of the network to determine whether it is connected using a slow link, defined by default as 500 kilobits per second (kbps). Each client-side extension is configured to process Group Policy or to skip the application of settings on a slow link. By default, GPSI does not process Group Policy settings over a slow link because the installation of software over a slow link could cause significant delays.

You can change the slow link policy processing behavior of each client-side extension by using policy settings located in Computer Configuration\Policies\Administrative Templates\System\Group Policy. For example, you could modify the behavior of the software installation extension so that it does process policies over a slow link.

You can also change the connection speed threshold that constitutes a slow link. By configuring a low threshold for the connection speed, you can convince the client-side extensions that a connection is not a slow link, even if it actually is. Group Policy Slow Link Detection has separate policy settings for computer policy processing and user policy processing. The policies are in the Administrative Templates\System\Group Policy folders in Computer Configuration and User Configuration.

6. Understanding AppLocker

In a typical enterprise, computers are deployed with a highly managed configuration that is based on an image of the operating system and core applications. But, over time, the applications that are installed on a computer drift away from the managed, well-defined initial state. When a user logs on as a non-privileged user—when she is not a member of the local Administrators groups of her computer—her ability to install new applications is greatly restricted, but not entirely prevented. For example, a user can copy a self-contained application in a single executable (.exe file) to her desktop and launch it.

When a user installs unmanaged applications, the risk and cost of supporting that user increases. The new applications may cause instability or incompatibility with other applications, resulting in increased support calls, or may introduce malware into the environment. Additionally, a new application may not be licensed correctly for use in your enterprise.

For these and other manageability reasons, it is best practice to restrict program execution—to ensure that users can run only those applications that have been vetted by the enterprise for compatibility, security, and licensing. Windows XP and Windows Vista featured Software Restriction Policy (SRP), with which you could specify applications that were allowed or disallowed. But SRP was difficult to manage effectively, because—in its best practice configuration—an application policy was associated with the signature of a specific executable or component. If the application was patched or updated, the policy had to be revised to reflect the updated signature.

Windows 7 and Windows Server 2008 R2 feature AppLocker, a more powerful, robust, and manageable framework with which to restrict application execution. AppLocker uses Allow rules and Deny rules, which both support exceptions. For example, you can define a rule that allows users to run all components of the Windows operating system, except built-in games and Registry Editor. You could create a rule that denies users the ability to launch any executable that is in the C:\Users folder, except ZoomIt.exe. An enterprise typically applies a combination of Allow and Deny rules, and exceptions, to implement application lock-down with a minimal number of rules.

As with SRP, rules can be associated with the path or hash of an executable, but these rules can be circumvented and are difficult to manage. AppLocker rules can also be associated with the digital signature of a publisher, the name of a product, and the name and versions of a file. Such rules are more flexible, more manageable, and more secure. For example, you could define a rule that allows users to run Adobe Reader version 9.0 or greater. Rules can also be associated with a collection of files so that a user can launch an installer, which itself executes related components. And rules can be applied to users or groups so that, for example, you could allow the Finance group to run the approved accounting software, but other users would not be able to run the same application.

Rules can be created on a computer running Windows 7 Professional, Windows 7 Ultimate, Windows 7 Enterprise, or Windows Server 2008 R2. For Group Policy deployment of rules, you must use the Windows Server 2008 R2 version of Group Policy Management, which can be installed on Windows 7 by adding the Remote Server Administration Tools (RSAT). AppLocker rules can be enforced on most editions of Windows Server 2008 R2, Windows 7 Enterprise, or Windows 7 Ultimate. You cannot enforce AppLocker rules on Windows 7 Professional, Windows 7 Home Premium, or any other consumer-focused edition of Windows 7. You also cannot enforce AppLocker rules on Windows Web Server 2008 R2 or Windows Server 2008 R2 Foundation.

Practice Managing Software with Group Policy

Practice Managing Software with Group Policy

In this practice, you install, upgrade, and remove software, using GPSI. You practice software management by using XML Notepad, a simple XML editor available from the Microsoft Download Center. To perform this practice, you must complete the following preparatory steps:

  • Create a first-level OU named Groups and, within that OU, create an OU called Applications.

  • In the Applications OU, create a global security group named APP_XML Notepad to represent the users and computer to which XML Notepad is deployed.

  • Create a folder named Software on the C drive of SERVER01. Within that folder, create a folder named XML Notepad. Grant the APP_XML Notepad group Read And Execute permission to the XML Notepad folder. Share the Software folder with the share name Software, and grant the Everyone group the Allow Full Control share permission.

  • Download XML Notepad from the Microsoft Download Center at http://www.microsoft.com/downloads/en/details.aspx?FamilyID=72d6aa49-787d-4118-ba5f-4f30fe913628. Save it to the Software\XML Notepad folder.

EXERCISE 1 Create a Software Deployment GPO

In this exercise, you create a GPO that deploys XML Notepad to developers who require the application.

  1. Log on to SERVER01 as Administrator.

  2. Open the Group Policy Management console.

  3. Right-click the Group Policy Objects container and click New.

  4. In the Name box, type the name of the application (for example, XML Notepad ), and then click OK.

  5. Right-click the XML Notepad GPO and click Edit.

  6. Expand User Configuration\Policies\Software Settings.

  7. Right-click Software Installation, point to New, and then click Package.

  8. In the File Name text box, type the network path to the software distribution folder (for example, \\server01\software\XML Notepad), and then click Open. Select the Windows Installer package (for example, XmlNotepad.msi), and then click Open.

  9. In the Deploy Software dialog box, select Advanced and click OK.

    There is a short pause while the package is created.

  10. On the General tab, note that the name of the package includes the version—for example, XML Notepad 2007.

  11. On the Deployment tab, click Assigned.

  12. Select the Install This Application At Logon check box.

  13. Select Uninstall This Application When It Falls Out Of The Scope Of Management.

  14. Click OK.

  15. Close Group Policy Management Editor.

  16. In the Group Policy Management console, select the XML Notepad GPO in the Group Policy Objects container.

  17. On the Scope tab, in the Security Filtering section, select Authenticated Users and click Remove. Click OK to confirm your action.

  18. Click Add.

  19. Type the name of the group that represents users and computers to which the application should be deployed—for example APP_XML Notepad.

  20. Click OK.

    The GPO is now filtered to apply only to the APP_XML Notepad group. However, the GPO settings will not apply until it is linked to an OU, a site, or the domain.

  21. Right-click the domain, contoso.com, and click Link An Existing GPO.

  22. Select XML Notepad from the Group Policy Objects list and click OK.

    You can optionally test the GPO by adding the Administrator account to the APP_XML Notepad group. Log off and then log on. XML Notepad is installed when you log on.

EXERCISE 2 Upgrade an Application

In this exercise, you simulate deploying an upgraded version of XML Notepad.

  1. Log on to SERVER01 as Administrator.

  2. Open the Group Policy Management console.

  3. Right-click the XML Notepad GPO in the Group Policy Objects container and click Edit.

  4. Expand User Configuration\Policies\Software Settings.

  5. Right-click Software Installation, point to New, and then click Package.

  6. In the File Name text box, enter the network path to the software distribution folder (for example, \\server01\software\XML Notepad), and then click Open. Select the .msi file name, and then click Open.

    This exercise uses the existing XmlNotepad.msi file as if it is an updated version of XML Notepad.

  7. In the Deploy Software dialog box, select Advanced and click OK.

  8. On the General tab, change the name of the package to suggest that it is the next version of the application—for example, XML Notepad 2008.

  9. On the Deployment tab, select Assigned.

  10. Select the Install This Application At Logon check box.

  11. On the Upgrades tab, click Add.

  12. Select the Current Group Policy Object (GPO) option.

  13. In the Package To Upgrade list, select the package for the simulated earlier version—XML Notepad 2007, for example.

  14. Select Uninstall The Existing Package Then Install The Upgrade Package.

  15. Click OK.

  16. Click OK again.

    If this were an actual upgrade, the new package would upgrade the previous version of the application as clients applied the XML Notepad GPO. Because this is only a simulation of an upgrade, you can remove the simulated upgrade package.

  17. Select Software Installation. Right-click the package that you just created to simulate an upgrade, point to All Tasks, and then click Remove.

  18. In the Remove Software dialog box, select the Immediately Uninstall The Software From Users And Computers option.

  19. Click OK.
 
Others
 
- Active Directory 2008 : Managing Enterprise Security and Configuration with Group Policy Settings -- Managing Software with Group Policy (part 1)
- Microsoft Lync Server 2010 : PBX Integration - Key Improvements
- Microsoft Lync Server 2010 : PBX Integration - End-User Scenarios
- Microsoft Lync Server 2010 : PBX Integration - Integration Methods
- Microsoft Lync Server 2010 : PBX Integration - Telephony Overview
- Windows 8 : Maintaining Data Access and Availability - Using Branch Caching
- Windows 8 : Maintaining Data Access and Availability - Configuring Disk Quotas
- Sharepoint 2013 : Configure Metadata Navigation in a List or Document Library
- Sharepoint 2013 : Remove a Content Type from a List or Document Library
- Sharepoint 2013 : Add a Content Type to a List or Document Library
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us