Windows Foundation

Digging Deeper into Group Policy

Now that you've been formally introduced, here's how to use group policies to install software and set security.

There's nothing more enjoyable than having a reader write an e-mail to me and proffer feedback about a topic relating to Windows 2000. Such was the case just the other day when I received e-mail from Robert Koppanyi asking for more information on Group Policy. Well Robert, this column (and next month as well on Group Policy) is for you!

So this month I delve deeper into the Group Policy depths by exploring two of it features: the ability to install software and the set security.

Installing Software
The software installation capability is one of the cooler features of Win2K's Group Policy even though you might not use it initially (if my experience is any indicator). Here's what I mean. By the time you even find Group Policy in Win2K Server, it's likely your client workstations are up and running with the desktop applications already installed and configured. If this is so, what's the value of the software installation capabilities in Group Policy? That answer is simple - updates! Your fleet of workstations may need a new application installed in the future. But more importantly, the workstations may require services packs and hot fixes applied to both the operating system and applications on a regular basis. That's where the software installation side of Group Policy kicks in. By forcing a particular service pack to be installed on your workstations, you simplify the management of your network by having everything on the same page or release level.

So let's jump into a step-by-step Group Policy-based software installation. I'll install a simple application that was provided to me by the certification team at Microsoft. To install an application using Group Policy:

  1. Logon to the Win2K Server machine as the Administrator.
  2. Click Start, Programs, Administrative Tools, Active Directory Users and Computers.
  3. Right-click on a organizational unit (OU) and select Properties from the secondary menu.

Note: You will recall last month in the March 2001 installment of Win2K Foundations that you created a OU. And you might also recall the discussion the Group Policy can be applied to an Active Directory Site, Domain or Organizational Unit. In this example, I apply Group Policy to an OU, a common approach.

  1. Select the Group Policy tab.
  2. Select a Group Policy Object Link and click Edit. In my case, I have an existing Group Policy Object Link titled "One". Note: If necessary, click New to create a new Group Policy Object Link. You might recall that the step-by-step for creating a Group Policy Object Link was provided in last month's Windows 2000 Foundations column.
  3. The Group Policy MMC appears. In this step-by-step example, I'll apply the Group Policy software setting to users, so click User Configuration, Software Settings and Software installation. Your screen should look like Figure 1.
Figure 1. Selecting the Software installation option in the Group Policy MMC.
  1. Right-click on the Software installation object and select New Package. The Open dialog box appears where you will need to select the Windows Installer package you want install. Your screen should look like Figure 2.

Note: The software installation capability in Group Policy accepts two types of installation files for installation, Windows Installer (.MSI) and ZAW Down-level application packages (.ZAP). The .MSI file can be created via Windows-based scripting and some select Resource Kits such as the Office 2000 Resource Kit. These install packages have the effect of facilitating silent installations so the applications (including my beloved service packs and hot fixes) will install without user intervention.

Figure 2. Select an .MSI file to install via the installer process.
  1. After selecting your installer package in the Open dialog box, click Open. If you receive the error message shown in Figure 3, you will need to click No and return to the Open dialog box and provide a UNC path to a shared folder on the server. If necessary, you need to share said folder that holds the installer file. Note that you can automatically map to the .MSI file in a UNC fashion by navigating to the .MSI file via My Network Places in the left column of the Open Dialog box.
Figure 3. Error message if you attempt to implement an installer package not using a UNC path.
  1. The Deploy Software dialog box appears (see Figure 4). There are three options to select from: Published, Assigned, or Advanced published and assigned. Select Assigned and click OK.

Note: Publish here really means that the application isn't automatically installed and the user need to install the application via Add/Remove Programs in Control Panel. Assigning an application results in the following: At logon, assuming the prerequisite conditions have been met (that the user is the correct user to receive the installation package), the application is advertised and installed when it is safe to do so (after critical operating system services have started).

Figure 4. The Deploy Software dialog box. The Advanced published or assigned option is really cool and, while beyond the scope of this column, it's worth playing with on your test Win2K Server.

The application to be installed appears as shown in Figure 5 in the Group Policy MMC.

Figure 5. Congratulations! The Windows installer package appears in the Group Policy MMC when Software installation is selected.

When you logon to the Win2K Server network, assuming you're a user or a computer in the OU that the Group Policy Object (GPO) applies to, you'll be asked to install the application. At that time, the application installs silently. You might also be interested in observing the properties of the installer package properties. Simply double click the installer package you created in the steps above. The General tab provides basic identification information. The Deployment tab allows you to select the settings, as shown in Figure 6. The Upgrades tab (see Figure 7) allows you to select what existing application installation should be upgraded.

Figure 6. The Deployment tab allows you to set deployment options such as Installation user interface (Basic will show end user minimal installation progress details; Maximum displays detailed installation progress).

Figure 7. The Upgrades tab is used to manage revisions for your installed applications.

The Categories screen, while not as interesting visually as some of the others, allows you to configure how the application to be installed appears in the Add/Remove Programs in Control Panel. The Modification tab allows you to customize the installation package (within reason). The Security tab allows you to set the Full Control, Read and Write permissions for the installer package.

Tip: If you head back to my February column, you'll see some problems with Win2K Terminal Services and the assign and publish software installation capabilities of Group Policy. Applications accessed via Terminal Services are installed on a per-computer basis, meaning the programs are available to any user with access to the Terminal Services server. Terminal Services can not accept published programs, which are published on a per-user basis. Furthermore, assigned programs must be assigned on a per-computer basis.

While security isn't as exciting a subject to me as it is to fellow columnist Roberta Bragg (see her "Security Advisor" column each month in the print issue and online), Group Policy is used to implement security settings. To see the specific settings you can set, complete the following keystrokes:

  1. Logon to the Win2K Server machine as the Administrator.
  2. Click Start, Programs, Administrative Tools, Active Directory Users and Computers.
  3. Right-click on a organizational unit (OU) and select Properties from the secondary menu.
  4. Select the Group Policy tab.
  5. Select a Group Policy Object Link and click Edit. The Group Policy MMC appears.
  6. Expand either the Computer Configuration object or the User Configuration object.
  7. Expand the Windows Settings folder.
  8. Expand the Security Settings object. Your screen should look like Figure 8.
Figure 8. You can observe the numerous security settings that can be set by Group Policy.

Roberta Bragg gives extensive coverage on security in her December column, "The Gift of Group Policy."

Next month I'll explore Windows Settings and Administrative Templates in Group Policy in my quest to keep readers like Robert Koppanyi and others happy, healthy and hopefully wealthy!

About the Author

Bainbridge Island, Washington author Harry Brelsford is the CEO of, a Small Business Server consulting and networking monitoring firm. He publishes the "Small Business Best Practices" newsletter ([email protected]), and is the author of several IT books, including MCSE Consulting Bible (Hungry Minds) and Small Business Server 2000 Best Practices (Hara Publishing).


comments powered by Disqus

Subscribe on YouTube