Windows Server 2008 : Understanding Group Policy Settings (part 2) - Deploying Applications

12/28/2013 1:58:17 AM

2. Enabling Advanced Auditing for Directory Services Changes

You can enable advanced auditing capabilities in Windows Server 2008 with the auditpol command. The following table shows some common commands used to enable Directory Services Changes auditing.

auditpol Commands	Comments
C:\>auditpol /set / subcategory:"directory service changes" /success:enable	Enables Directory Services Changes auditing for success events. The audit log includes the previous and new values of attributes for any Active Directory objects that are modified.
C:\>auditpol /set / subcategory:"directory service changes" /failure:enable	Enables Directory Services Changes auditing for failure events.
C:\>auditpol /set / subcategory:"directory service changes" /success:disable	Disables Directory Services Changes auditing for success events.
C:\>auditpol /set / subcategory:"directory service changes" /failure:disable	Disables Directory Services Changes auditing for failure events.

3. Deploying Applications

You can also deploy applications with Group Policy. Advanced tools, such as Microsoft’s System Center Configuration Manager (SCCM), give you additional capabilities such as scheduling the deployments. However, you can use Group Policy to deploy applications without buying SCCM.

The following table shows the primary ways that applications are deployed through a GPO.

Method	Target	Result
Assign	User	Available on the user’s Start menu. The application is not installed until the user invokes the application. When the user selects the item on the Start menu or double-clicks a file with the matching extension, the application is installed. For example, if Microsoft Excel is assigned to a user, the user can double-click an .xls document and Microsoft Excel will then be installed.
Assign	Computer	The application is installed on the next boot of the computer. Tip If deploying an application to laptops that might not be connected later, you can assign the application. The next time the laptop is rebooted (while connected to the domain), the application will install.
Publish	User	Available through the Control Panel Programs and Features. If users know to look there, they can find the application and install it. The application is installed by double-clicking on a file with the matching extension. For example, if Microsoft Excel is published to a user, the user can double-click an .xls document and it will be installed.

Figure 3 shows the Group Policy Management Editor for the Default Domain Policy. It has the Microsoft Shared Fax Client assigned. The foreground dialog box is from the wizard assigning another application. Notice that Published is dimmed. Because you cannot publish to a computer, you cannot select the Published option.

Figure 3. Assigning an application through a GPO

In large enterprises with multiple sites, it’s common to deploy applications from a server in the same site. Consider Figure 4. If you deployed the application from a single server in the Virginia Beach site, the application would have to be deployed over the slow WAN link to the computers in the Washington DC site.

Figure 4. Multiple-site enterprise

In this situation, you create two GPOs. One GPO deploys the application from a server in the Virginia Beach site to computers in Virginia Beach. The second GPO deploys the application from a server in the Washington DC site to computers in Virginia Beach.

The following table shows the overall steps for deploying applications to computers in the site.

Steps	Comments
1.	Create a share on a computer in the site.
2.	Copy the application package to the share.
3.	Create a GPO to deploy the application package.
4.	Link the GPO to the site.

5. Configuring Automatic Updates

A common use of Group Policy is to configure computers to use Automatic Updates. There are several Group Policy settings located in the Computer Configuration, Policies, Administrative Templates, System, Windows Update node.

Some of the settings are listed in the following table.

Setting	Description
Configure Automatic Updates	When enabled, computers automatically receive updates without requiring any user intervention.
Specify intranet Microsoft update service location	You can use this when you set up your own Windows Server Update Services (WSUS) server to synchronize, approve, and deploy updates. Figure 5 shows this setting configured so that clients retrieve updates from a server named wsus1 in the internal network.
Enable client-side targeting	Specifies the target group name used to receive updates from a WSUS server. The WSUS server uses this name to determine which updates to deploy. This is valid only when the WSUS server is configured for client-side targeting.

Figure 5. Configuring clients to check with a WSUS server for updates

Others

- Windows Server 2008 : Understanding Group Policy Settings (part 1) - Enabling Auditing Through Group Policy

- Windows Server 2008 : Filtering GPOs by Modifying Permissions

- Windows Server 2008 : Launching the Group Policy Management Console, Understanding Group Policy Order of Precedence

- Windows Server 2008 : Creating and Running a PowerShell Script - Scheduling PowerShell Scripts

- Windows Server 2008 : Creating and Running a PowerShell Script - Running a Script Against Multiple Computers

- Windows Server 2012 : Preparing for deploying domain controllers (part 3) - Existing forest domain controller deployment

- Windows Server 2012 : Preparing for deploying domain controllers (part 2) - New forest domain controller deployment

- Windows Server 2012 : Preparing for deploying domain controllers (part 1) - AD DS deployment scenarios

- Windows Server 2012 : Windows PowerShell automation (part 2) - Disconnected sessions

- Windows Server 2012 : Windows PowerShell automation (part 1) - Background jobs, Scheduled jobs