A user whose user object is in the IT Managers container will have group policy applied in this order: Local Computer policy, Default Domain policy, Folder Redirection policy, IT Manager policy, and Manager Tools policy. A user whose user object is in the Accounting container will have group policy applied in this order: Local Computer policy, Default Domain policy, and Folder Redirection policy. Therefore, if the user in the Accounting container is supposed to have folders redirected by the Folder Redirection policy, but the folders are not being redirected,You should look at the Folder Redirection Policy object and see what options or permissions are on the object that would prevent the user from having the policy applied, and so on. Using RSoP Just having a policy map will not help you identify the location of policy conflicts in all cases.That’s where RSoP comes in. Previously, we’ve used RSoP to plan our policy environment and test the envi- ronment prior to implementation.You can also use RSoP to discover what policy is applied to a user object and where the policy setting came from.To do this, add the RSoP snap-in into the MMC and generate a report based on the user and computer in question as described earlier in the chapter. Let’s say that a user is attempting to change his password, but he continually gets an error saying that his password is too short.You seem to recall that you had set a policy that allowed six character passwords as a minimum, but the user continually gets a message that his password must be at least seven characters.You run an RSoP report on the user and get the result shown in Figure 17.23. Remembering that password settings are a part of computer configuration, you open to that portion of the report and find the minimum password length policy. Sure enough, it’s set to seven characters. However, in the window you also see that the minimum password length setting came from the Default Domain Policy object.Therefore, either your recollection of setting a minimum password length of six characters was faulty, or you set that policy in a GPO that was not processed by this user, and now you can find out why. 596 Chapter 17 • Working with Group Policy in an Active Directory Environment Figure 17.23 Viewing RSoP Results 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 596 Other settings do not display as clearly in the MMC window. Let’s take a quick look at a folder redirection setting that was applied to this same user. When you click the My Documents folder under User Configuration | Windows Settings | Folder Redirection, the MMC will display information about the Redirection policy. However, the default format of the display does not show all the information at one time, so you can double-click the entry to bring up the Properties window shown in Figure 17.24.You can see in the Properties window the location where the My Documents folder has been directed and the settings of the policy that caused this user’s folder to be redirected. In this case, the GPO that triggered the redirection is the Folder Redirection Policy object, and it was created in advanced mode, with the user matching the Information Technology group membership. In addition, you can see the settings enabled for this particular redirection policy in the grayed-out check boxes and option buttons. Using gpresult.exe Sorting through the information provided by RSoP can be a little daunting, especially if there is a lot of customization occurring through group policy settings. Some types of information can be easier to track down using a different tool—gpresult.exe. gpresult is a command-line tool that pro- duces a text report of the resultant set of policy.Table 17.4 lists some of the command-line parame- ters that can be used with gpresult.exe. By default, running gpresult.exe with no parameters will generate an RSoP report for the current user on the local computer. Different options can be used to specify alternate users and different computers, as well as limiting the scope of the query. Working with Group Policy in an Active Directory Environment • Chapter 17 597 Figure 17.24 Viewing the Folder Redirection Policy Properties 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 597 Table 17.4 Command-Line Parameters for gpresult.exe Parameter Description /s Computer Identifies the location of a remote computer for the query. Computer can be the name or IP address of the remote system. Do not use backslashes in the computer name. /u Domain\User Identifies the user to run the program as, in case the current user does not have permission to generate RSoP data. /p Password Identifies the password to use for the user object identified with the /u parameter. /user TargetUserName Identifies the user for which RSoP data is to be generated. /scope {user | Identifies the specific scope, user or computer, for which the RSoP computer} report should be run. /v Generates verbose policy information. /z Displays all available information about the policy settings. This set- ting generates much more output than the /v parameter. The output of gpresult.exe is grouped into several different sections.The first section of the output gives basic information about the user and computer analyzed in the query.This output is shown in Figure 17.25. One of the items of interest in this section is the indication of a slow link connection, listed in the last line of the figure. Figure 17.25 Viewing the Results of gpresult.exe RSOP data for CORPORATE\fisherb on CORPADFP1 : Logging Mode —————————————————————————————— OS Type: Microsoft(R) Windows(R) Server 2003, Standard Edition OS Configuration: Primary Domain Controller OS Version: 5.2.3790 Site Name: My_Corp Roaming Profile: Local Profile: C:\Documents and Settings\fisherb Connected over a slow link?: No The next section of output contains information about the computer settings of the resultant policy.The output lists the directory path to the computer objects, the last time policy was applied to the computer, and the object from which the policy was applied.The output also lists the specific 598 Chapter 17 • Working with Group Policy in an Active Directory Environment 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 598 GPOs that were applied to generate the resultant policy. Following that list is a section containing security group information for the computer. The next information contained in the output is a breakdown of the user configuration settings. You will find the directory container for the user object, the GPOs that were applied, and a listing of the security groups to which the user belongs. Running gpresult.exe in verbose mode (/v) or really verbose mode (/z) will give you additional information about the specific policy settings that apply to the user/computer combination. One such entry is listed in Figure 17.26. Figure 17.26 Viewing a Sample Policy Listing from a gpresult.exe Verbose Output Folder Redirection ————————— GPO: Folder Redirection Policy KeyName: InstallationType: basic Grant Type: Exclusive Rights Move Type: Contents of Local Directory moved Policy Removal: Redirect the folder back to user profile location Redirecting Group: Everyone Redirected Path: \\corpadfp1\home\fisherb\desktop Run an RSoP Query in Logging Mode In the following procedure, we walk through the steps required to generate an RSoP query in log- ging mode to produce a report on actual policy settings for a user in the directory.The steps in the example will use the sample user and computer information, but you can run this report for any user and computer in your environment, provided you have access to the tools. Running this query will not impact a production system. 1. Open the Microsoft Management Console. 2. Select File | Add/Remove Snap-in. 3. In the Standalone tab, click Add. 4. Scroll through the list until you find the Resultant Set of Policy item, and then click Add and Close. 5. Click OK to return to the MMC window. Working with Group Policy in an Active Directory Environment • Chapter 17 599 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 599 6. Right-click the Resultant Set of Policy object in the tree and select Generate RSoP Data. 7. In the RSoP Wizard, click Next. 8. Make sure the Logging mode option button is selected, and then click Next. 9. Click the Another Computer option button, and then click Browse. 10. Find a computer in the directory and select it. 11. In the Computer Selection window, after selecting the computer, click Next. 12. In the User Selection window, click the Select a specific user option button. 13. Select one of the users listed, and then click Next. 14. In the Summary of Selections window, click Next. 15. Click Finish to close the wizard. 16. Browse through the policy settings in the MMC window. 600 Chapter 17 • Working with Group Policy in an Active Directory Environment 301_BD_W2k3_17.qxd 5/12/04 2:18 PM Page 600 Deploying Software via Group Policy In this chapter: Understanding Group Policy Software Installation Terminology and Concepts Using Group Policy Software Installation to Deploy Applications Troubleshooting Software Deployment Introduction In the preceding chapter, you learned what Group Policy is and how to work with Group Policy Objects (GPOs). One of the most important functions of Group Policy in an enterprise-level network is the ability to automate software deployment throughout the organization, saving network administrators and users a great deal of time and trouble. In this chapter, you will learn about Group Policy’s software installation feature. We’ll provide an understanding of the terminology and concepts behind software installation, and we’ll show you how to use the components of software installation: Windows installer packages, transforms, patches, and application assignment scripts.You’ll find out how to deploy software to users and to computers by assigning or publishing applications. After covering the concepts, we walk you through the steps of preparing for Group Policy software installation, working with the GPO Editor and setting installation options.You’ll find out how to upgrade applications, configure automatic updates, and remove managed applications. We’ll also cover how to troubleshoot problems that can occur with Group Policy software deployment. Chapter 18 601 301_BD_W2k3_18.qxd 5/12/04 2:19 PM Page 601 Understanding Group Policy Software Installation Terminology and Concepts Maintaining the correct applications, service packs, and so forth on users’ workstations can be a daunting task, but with Group Policy, software can be distributed, configured, and maintained in a centralized fashion. From the applications users need to complete their work, to patches and updates that fix bugs or enhance security, software deployment via Group Policy is a very powerful feature. Some of the terms associated with Group Policy software deployment may be unfamiliar if you haven’t used this feature before. For example, we’ll be talking about two types of deployed applica- tions: published and assigned. A published application is made available to users through the Add/Remove Programs applet in Control Panel. Each user has the option to install the application, or not, when it is published.An assigned application is “pulled” down to the user’s computer or the computer itself. During startup or logon, Group Policy assignments are checked. If software is part of a group policy linked to the organizational unit (OU), domain, or site, then the software is “adver- tised” to the user or to the computer. Advertising refers to making the application ready for installa- tion when a triggering action occurs (the user clicks the application shortcut, the user attempts to open a document associated with the application, or the computer starts up). Another term with which you’ll need to be familiar is software package or Windows Installer package. A package is a file with the .msi extension that contains a database with all the instructions and information necessary to install the application. We’ll talk about transforms, which are files with the .mst extension that make modifications to the database contained in the .msi file. If you don’t know the basic concepts, you can easily misconfigure software installation policies, and that can create problems on your network. Before implementing a new feature such as software instal- lation, you should first ensure that you understand both the concepts and the procedures involved. Then, you can start to develop a software deployment plan. When you have a viable plan in place, you can begin to put the software installation feature to work for you on your network. In the next sec- tion, we will provide more detailed information about Group Policy software installation concepts. Group Policy Software Installation Concepts You can use Group Policy to deploy software within a domain environment by editing an existing GPO or creating a new one.The GPO must be applied to a domain, OU, or site in Active Directory. When you open a GPO that is applied to one of these units, you’ll see two nodes labeled Software Installation in the left pane of the Group Policy Editor console: one that is under the Computer Configuration node and one that is under the User Configuration node. As mentioned earlier, Group Policy software installation deals with two basic types of software deployment: assigning and publishing. Which of these you choose determines when the software will actually be installed on the user’s workstation. In the following sections, we will look at exactly how each of these options works, and help you determine which is most appropriate for a given situation. 602 Chapter 18 • Deploying Software via Group Policy 301_BD_W2k3_18.qxd 5/12/04 2:19 PM Page 602 Assigning Applications The first option is to assign an application.You should assign applications if you want selected users to have the applications available regardless of which computer they are logged on to. An assigned application will “follow” the user from computer to computer within the domain environment. Applications can be assigned to a user or to a computer by using the appropriate Software Installation node in Group Policy. Using the Software Installation node under Computer Configuration | Software Settings in the left pane of the Group Policy Editor console will allow you to assign the application to a computer. Using the Software Installation node under User Configuration | Software Settings in the same console tree will allow you to assign the application to a user. After determining that you want to assign applications (rather than publish them), next you must decide whether to assign applications to users or to computers. Assigned applications are con- figured based on use. If a particular user will require a word processing or spreadsheet application, you can assign the application to that user. If you will be installing a particular application on every computer in the organization, or to specific computers (for example, all the computers in the Financial department), you can assign the application to the computer objects in Active Directory. When an application is assigned to a user, the application will show up as a shortcut, on which the user can click.This shortcut does not mean that the application is installed, however.The shortcut can be configured to show up in the Start menu or on the desktop.There are also file asso- ciation changes made to the workstation.This shortcut will “follow” the user, so that it appears on whichever computer the user uses to log on to the network. When the user clicks the shortcut, the application is then deployed to the workstation where the user is logged on.This ensures that users will have the appropriate software, regardless of which workstation they are logged on to. When an application is assigned to a computer, the software is deployed when it is safe to do so (that is, when the operating system files are closed).This generally means that the software will be installed when the computer starts up, which ensures that the applications are deployed prior to any user logging on. Large application deployments can be done this way so users won’t have to click and wait. Applications that are assigned to computers are available to any user who logs on to that computer. Often, administrators will do large deployments to computers during off hours so when users arrive the next day, they have the updated and installed software ready for use. Publishing Applications When an application is published, it is advertised to users through the Add/Remove Programs applet in Control Panel.This allows users to control when (and whether) the applications will be deployed. Applications that are not required, but which you want to make available as an option for users, are generally deployed this way. If an application isn’t used by everybody but might be useful for some to complete a project or task, it can be published for the users to install when and if they need it. Publishing an application also allows users to uninstall the application from their workstations. This gives users more control over their workstations, whereas assigned applications maintain them- selves as installed applications even if the user manually deletes the files. Figure 18.1 shows the matrix between assigning and publishing software to users and computers. Deploying Software via Group Policy • Chapter 18 603 301_BD_W2k3_18.qxd 5/12/04 2:19 PM Page 603 Document Invocation Whether you assign or publish an application, file association changes can be made in the Registry on the workstation where the new application is installed. Document invocation refers to the ability of the system to install an application in response to the user’s attempt to open a document that is asso- ciated with that application.This is also referred to as file extension activation. You can control whether applications will be automatically installed by file extension activation.This selection is made by checking a check box on the Deployment tab of the Properties sheet of the application. You will learn more about editing the Properties options later in the chapter. For example, if Microsoft Word has been assigned to a computer or user but has not yet been installed, and a user receives a Word document and attempts to open it by double-clicking it, the Installer will immediately install the application and then open the document with it. It is not necessary for the user to install it via the desktop or Start menu icon, or (in the case of an application assigned to the computer) reboot the computer.The same thing happens if the application has been published, but the user has not chosen to install it via Add/Remove Programs. When the user attempts to open the documents, it will be installed automatically.This is also called on-demand installation. What happens if more than one application is associated with the same file extension? Normally, the associated application that was most recently installed on the computer is the one that is used to open the file.You can configure the GPO to set priorities on file extensions, so that you can ensure that the published application that installs when users try to open a file with a specific extension is the right one.This is done by editing the Software Installation Properties of the User Configuration or Computer Configuration node in the GPO Editor.You will learn more about editing these options later in the chapter. 604 Chapter 18 • Deploying Software via Group Policy Figure 18.1 Assigning and Publishing Software Matrix Assigning Applications Publishing Applications Users or Computers? Users Computers Users Only When assignment is done to users, shortcuts are displayed on desktop or start menu for advertised applications. Installation happens when user initiates first use of application. Installation can also happen when a user clicks on an extension that is associated with an assigned application. When assignments are made to computers installation happens during startup prior to a user logging on. This can be good to roll out software in a mass installation or upgrade. The downside can be when large deployments delay users logging on. You can only Publish applications to users. When applications are Published they are advertised in Add/ Remove Programs in Control Panel.' Categories are good for this type of application deployment so the user can easily find the software they want to install. 301_BD_W2k3_18.qxd 5/12/04 2:19 PM Page 604 Application Categories To make it easier for users to find applications, you can put software into categories. With a large number of applications, users must scroll through the entire list of programs in Add/Remove Programs to find the applications they want.To simplify the process, you can categorize the appli- cations you assign or publish. Categories are not predefined and thus need to be set up by the administrator. Grouping common applications together will assist your users in finding the software they need.You can group applications by department, by job function, or in other ways that are logical and meet the needs of your organization’s structure. For example, all members of a particular department might need to use the same application, or all secretaries—regardless of department—might need a particular software application. It is not necessary to define categories for each individual GPO; instead, you create cat- egories that will apply to the entire domain. Group Policy Software Deployment vs. SMS Software Deployment Software deployment via Group Policy differs from software deployment via Systems Management Server (SMS).The one simple difference is that SMS is a more controlled software distribution envi- ronment. With Group Policy, you set up the deployment as either assigned or published and that is it. With SMS, you can control configuration of items such as bandwidth usage, load balancing, scheduling, and so forth.To accomplish load balancing with Group Policy, you would have to intro- duce a Distributed File System configuration. Scheduling and bandwidth throttling are available through SMS only, not through Group Policy. Another key difference between using SMS and using Group Policy is that one is a pull model and the other is a push model. Software deployment through Group Policy is a pull configuration, meaning that the client pulls the software down to a workstation. SMS uses a push model where the SMS servers take the responsibility along with the agents to determine what software is needed and the best time to copy the package. Group Policy Software Installation Components Now that we have discussed the concepts of when and how software should be deployed, let’s look at the components involved in using Group Policy to deploy software. In Windows 2003 as in Windows 2000, the Windows Installer technology is the driving force behind this feature. You will become familiar with four file types as you work with software installation: ■ The application package is the first and basic file type you will encounter. ■ The transform gives you the ability to make changes to a package, or transform the package. ■ Patches are available for many software programs, and you can deploy these with Group Policy. ■ The application assignment script stores the information regarding assignment or publishing of the application. In the following sections, we will discuss each of these in more detail. Deploying Software via Group Policy • Chapter 18 605 301_BD_W2k3_18.qxd 5/12/04 2:19 PM Page 605 . “follow” the user, so that it appears on whichever computer the user uses to log on to the network. When the user clicks the shortcut, the application is then deployed to the workstation where the. that the client pulls the software down to a workstation. SMS uses a push model where the SMS servers take the responsibility along with the agents to determine what software is needed and the best. slow link?: No The next section of output contains information about the computer settings of the resultant policy .The output lists the directory path to the computer objects, the last time policy