Click here to monitor SSC
  • Av rating:
  • Total votes: 3
  • Total comments: 0
Joseph Moody

More Advanced Deployments with Group Policy Software Installation

09 May 2013

Group Policy Software Installation (GPSI) allows for a high level of control on what can be installed where on a group of computers based on the user. In this article Joseph Moody walks you through the steps to create pre-approved software lists for users to install, and upgrade and uninstall that software.

There is more to Group Policy Software Installation (GPSI) than meets the eye! In our previous article on software deployment, we walked through the process of extracting, linking and deploying our sample application (7-Zip). But what if you, as an administrator, wanted to do more than a simple installation for one or more computers within the domain? What if you wanted to allow your users to install their own approved applications? Or daisy chain complex upgrades? Without even purchasing a 3rd party product or extension, GPSI can handle nearly any advanced installation task faced by an administrator in installing and upgrading applications to the domain users.

Software on Demand

The vast majority of the time, software is assigned to a computer. If you are deploying, let’s say Java, pretty much every user on the computer will use it. Sometimes, certain software will be used by specific users on a computer. Some software might only be used during certain times of a year (or on a special occasion). For software like this, it can be advantageous to allow the user to install the software when it is needed instead of contacting the IT department. As an example, we are going to allow our users to install 7Zip. We will be working in the Group Policy Management Console (GPMC). Our Group Policy Object (GPO) will be APP_7Zip 9.3.

Putting the file into Group Policy

To do this, you will need to deploy the software under User Configuration/Polices/Software Settings/Software Installation.

You will need to deploy the software under User Configuration/Polices/Software Settings/Software Installation

Publishing or Assigned?

When you deploy an application to the user, you will notice that the Published option is no longer greyed out. And although you can still assign software, you have additional configurations available there as well.

Selecting whether the software is published or assigned

When you publish an application, GPSI will add that application to the list of available network programs within Programs and Features (or Add/Remove Programs). When users need that application, they can install it themselves.

Assigning an application can work in one of two ways. The first way functions in the same manner as an assigned computer-side application; the application is literally installed by the system when the user logs on. You are likely to choose this option for only the smallest and simplest of programs because otherwise you are likely to get complaints if a user has to wait on a 1GB program to install. The second method installs only the applications’ shortcuts (Desktop or Start Menu). When a user clicks on the shortcut, the rest of the application is installed.

A Publishing Walkthrough

Because publishing is such an underused (but powerful) feature in GPSI, we are going to walk through a sample publishing of 7Zip. At times, we think of software as belonging only to a computer. After all, it is installed in Program Files. When using GPSI, you will normally have your application GPO linked to an organization unit (OU) containing your computer. Because publishing an application takes place under User Configuration, you will need ensure that your application GPO l is inked to an OU containing users. In the picture below, you can see that our GPO is linked to the HR Department OU. This OU is under Domain Users.

The Organization Unit

In your GPO, navigate to ‘User Configuration/Policies/Software Settings/Software Installation’; add your MSI and select ‘Published’ as the installation method.

The deployment method is Published

With the MSI added, you will notice that it has a unique icon. Instead of the normal lock (you must have this application) icon, you will have a paper (here – look over this application when you have a chance) icon. After logging out and logging back on a client computer, browse to Control Panel and Programs/Features. On the left side, select Install a program from the network.

Installing the program

Published applications will be retrieved and your user will be presented with a list of available applications.

The list of avaliable applications

The user can select the application and press install. The application will install even if the user is a standard user! Publishing can be a great tool for allowing users to engage in self-service application installs (or even uninstalls).

So Many Updates: Upgrading an Application

Have you ever deployed an application only to see that an update was just released? Personally speaking, Flash and Java seem to be the worst about this! Lucky for us, GPSI has an intuitive (but slightly hidden) process of upgrading an existing deployment. Depending on your management style, Microsoft has built in two variations.

Method 1: Existing GPO

After saving your MSI upgrade in your network share, edit your existing deployment GPO. For our examples, the GPO name is APP_7Zip. For a refresher, we will navigate to ‘Computer Configuration/Policies/Software Settings/Software Installation’.

Editing the existing deployment GPO

Right click on ‘Software Installation’ and select ‘add a new package’. Browse and select your new MSI. After selecting ‘OK’, set the deployment method to ‘Advanced’ and press ‘OK’. Select the ‘Upgrades’ tab, press ‘Add’, and then ‘Ok’.

The older package is uninstalled by default

From here, you can change the upgrade pattern for your MSI. By default, the upgrade pattern is to uninstall the old package and to install the updated MSI. If your MSI update requires the existing application to stay in place, you will want to select “Package can upgrade over the existing package.” After pressing ‘OK’, you should see the replace package listed under the ‘Upgrades’ tab.

the upgrade tab

This method places both applications in the same GPO, as seen in the screenshot below. We know that the second package is an upgrade because of the green icon arrow pointing up to the 9.20 package.

The upgrade icon is displayed on the second package

The downside to this method is that, once the upgrade is added to this GPO, machines will begin to download the updated policy. If they are rebooted, they will install the application. This single-switch method, where an application is suddenly available for the entire deployment scope, can make testing a little harder and can lead an administrator to deploy an application sooner than intended. This brings us to the second variation.

Method 2: Separate GPO

Some IT administrators prefer to split out application upgrades into separate GPOs. Separate GPOs enable you to limit the scope of an application or an upgrade.

Separate GPOs

In the example picture above, every computer under the OU Domain Computers will receive 7Zip 9.2. The computers under the Brunswick Location OU will receive 7Zip 9.3.

To link two separate GPOs together this way, we have to change one step from Method 1. On the ‘Add Upgrade Package’ screen, select ‘browse’and select the older application GPO (APP_7Zip 9.2)

Linking separate GPOs

You should now see your older MSI listed under the ‘Packages to upgrade section’. From here, you can change the upgrade pattern if needed.

Choosing whether to change the upgrade pattern

There are a couple of downsides to this method. First, you will end up with a lot of GPOs! While you will probably never reach the 1,000 GPO limited imposed by the GPClient, the increase may cause management issues and GPO sprawl. The second downside is that the GPO names can easily get confusing. This is especially true if you scope your GPOs down to security groups that are named the same as an application. Speaking from personal experience, it is easy to get lazy and to not rename a group or GPO when managing an update.

Picking the Method

Which method do I use? Primarily, I will stick with method 1 and use my existing GPO. I love being able to see the upgrade history of an application in one single place. I also like the reduced number of GPOs and the fact that the MSI ‘self-documents’ the version. I also don’t have to worry about renaming/creating additional GPOs with comments.

When I’m testing an application upgrade, especially system wide upgrades, I will temporarily use method 2. I will create a GPO that is normally named like “TEST_APP_Application Name”. This GPO is then configured with the update and linked at a test OU. As the rollout continues, I can continue linking the GPO to broader OUs. Once I feel completely confident that the upgrade won’t cause any wide spread problems, I will remove my test GPO and add the new MSI to my existing application GPO.

Time for Retirement

There comes a time in the life of every application where it will need to be put out to pasture. With GPSI, you have the option of preventing future installations of your retired software or to uninstall the application on the next reboot.

Simple Uninstalls

For a single application, retirement is easy. Simply right click on the application, select All Tasks and select Remove.

The simple uninstall method

Next, you will need to decide whether to remove the application from all machines or to prevent new installations. Generally, administrators will only use the “Allow users to continue to use the software” option when wanting to limit the scope of a bad upgrade or when an uninstall might break another application. Personally, I find unlinking the GPO more effective for limiting scope.

Choosing whether to immediately remove the software or allow users to continue using it

Contrary to the message above, the application will not be immediately removed as GPSI can only process at certain times. Depending on the install type, it will take a reboot or a GPUpdate before the software is uninstalled or the shortcuts are removed.

Advanced Uninstalls

Let’s say that our previous upgrade from 7Zip 9.2 to 9.3 didn’t go as smoothly as expected. We’ve been asked to uninstall 9.3 and roll back to 9.2. To accomplish this, we have to know how our install actually worked. Did 7Zip overwrite the install of 9.2 or does it coexist?

Looking in Programs and Features (within the Control Panel) shows us that 9.3 overwrote 9.2. We could also look in Program Files for this information.

The uninstall screen

For us to roll back to 9.2, we have to first remove 9.3 and set it to uninstall immediately.

The remove and redeploy options

Next, we have to select our 9.2 MSI and set it to redeploy. This is done in nearly the same manner as uninstalling an application. Instead of selecting ‘remove’, just select ‘Redeploy application’ and press ‘ok’. On the next reboot, 9.3 will uninstall and 9.2 will reinstall.

Impressed Yet?

For a free and built-in software management system, GPSI is feature rich! Whether you are installing one or one hundred applications, Group Policy can scale with you.

Joseph Moody

Author profile:

Joseph is a desktop administrator for a public school system, helping manage 5,500 computers. He specializes in Active Directory, Group Policy, deployment and software management. His blog can be found at DeployHappiness.com.

Search for other articles by Joseph Moody

Rate this article:   Avg rating: from a total of 3 votes.


Poor

OK

Good

Great

Must read
Have Your Say
Do you have an opinion on this article? Then add your comment below:
You must be logged in to post to this forum

Click here to log in.
 

Top Rated

Migrating to Microsoft BPOS - Part II
 In his last article, Johan gave us a crystal clear guide to preparing to migrate from an on-premises... Read more...

Emulating the Exchange 2003 RUS for Out-of-Band Mailbox Provisioning in Exchange 2007
 Exchange's Recipient Update Service was important in Exchange 2000 or 2003 in order to complete the... Read more...

The Postmasters
 The Exchange Team introduces themselves, and keeps you up-to-date Read more...

For this Exchange Server Archiver, “Transparency” Fits
 Sometimes, it is a great relief when a user of your software gives it a tough test and then reports... Read more...

Hunting in Packs, Seamless-ness and Happy Holidays
 I attended DevConnections (Exchange) last month and was blown away by the technical talks. Speakers... Read more...

Most Viewed

Upgrade Exchange 2003 to Exchange 2010
  In this article, the first of two in which Jaap describes how to move from Exchange Server 2003... Read more...

Upgrade Exchange 2003 to Exchange 2010 - Part II
 In Jaap's second article on upgrading straight from Exchange Server 2003 to 2010, he explains how to... Read more...

Goodbye Exchange ExMerge, Hello Export-Mailbox
 ExMerge was a great way of exporting a mailbox to an Exchange PST file, or for removing all occurences... Read more...

Exchange E-mail Addresses and the Outlook Address Cache
 Because Exchange auto-complete cache uses X.500 addresses for e-mail sent to addresses within the... Read more...

Using Exchange 2007 for Resource Booking
 The process of booking various resources to go with a meeting room just got a whole lot easier with... Read more...

Why Join

Over 400,000 Microsoft professionals subscribe to the Simple-Talk technical journal. Join today, it's fast, simple, free and secure.