Managing software on client computers can be a tedious task, but
you can use Group Policy to deploy applications automatically. The
Group Policy Software Installation extension enables you to deploy
applications to computers in the domain or forest using Group Policy
and includes the capability to do the following:
Publish applications so that users can view and install
programs from the network.
Assign applications to users or computers so that the
applications are installed automatically when users need them or
on the next restart or logon.
Target applications to different groups using Group
Policy.
View the installation status using Group Policy
Results.
1. Publish or Assign Applications
To deploy an application, create or edit the appropriate GPO
and add the application’s Windows Installer package to either the
user or computer policy, depending on whether you want it to apply to
users or computers. The next time the user logs on or the computer
restarts, Active Directory applies the relevant policy to the user
or computer depending on the package settings you specify in the
GPO. Table 1
lists the GPO settings for installation actions.
Table 1. GPO settings needed for specific actions
| ACTION | SETTING REQUIRED |
|---|
| Automatically install the
application | Install This Application At
Logon |
| Add the application to a list of installable
programs in Programs And Features | Publish |
| Add a shortcut to the application in the Start
menu, and install it on first use | Assign The Application (Don’t use the Install
This Application at Logon setting.) |
An application published in Active Directory becomes available
from Programs And Features for the users to whom the GPO applies. An
assigned application, on the other hand, can be assigned to either
users or computers and is installed without any action on the user’s
part. Assigned applications appear on the Start menu and are
installed on first use, unless you specify that they should be fully
installed at the next logon.
Assign essential applications to users or computers so that
these applications are always available, and publish optional
programs to make it easy for users to find applications when they
need them. Do not assign or publish an application to both computers
and users. Table 2 summarizes the
differences between publishing and assigning applications.
Table 21-2. Outcomes when publishing vs. assigning applications
| PUBLISHED APPLICATIONS | APPLICATIONS ASSIGNED TO USERS | APPLICATIONS ASSIGNED TO
COMPUTERS |
|---|
| After deployment, when is the software
available for installation? | Immediately | After the second logon | After the second reboot |
| How is the software installed? | Through Programs And Features in Control
Panel | Automatically on first use or after the next
logon event (icons are on the Start menu or
desktop) | Automatically installed on reboot |
| Is the software installed when an associated file is
opened? | Yes | Yes | Already installed |
| Can a user remove the software? | Yes, using Programs And Features | Yes, but the software is available again after
the next logon | No, but software repairs are allowed; local
administrators can uninstall |
| Package types supported | Windows Installer and .zap files | Windows Installer | Windows installer |
2. Creating a Software Distribution Point
To deploy applications using Group Policy, first create a
software distribution point on the network that contains the setup
files for the applications. (Make sure you have appropriate licenses
for the applications.)
To create a software distribution point, use the following
steps:
Design and create a DFS or shared folder structure
for software.
Set the following NTFS permissions on the software
distribution folder. (Set the share permissions to Everyone =
Full Control to prevent conflicting file and share
permissions.)
Authenticated Users = Read and Execute
Domain Computers = Read and Execute
Administrators = Full Control
Warning:
IMPORTANT Incorrectly
set permissions are a common cause of problems when deploying software with Group Policy, so verify
that file and share permissions are set properly on the
software distribution folder.
Copy the application setup files to the folder created in
step 1, or use an administrative setup command to install the
setup files to the folder.
Consult the software manufacturer for specific instructions
and recommendations.
Note:
To publish the software distribution folder in Active Directory so that
users can find the folder when searching Active Directory for
shared folders, right-click the appropriate container in the
Active Directory Users And Computers console, choose New, select
Shared Folder, and then type the path of the DFS folder or shared
folder in the Network Path box.
