268 Part II: Group Policy Implementation and Scenarios To allow administrators to access existing profile folders, complete the following steps: Log on to the profile server using an account that has administrator privileges In Windows Explorer, locate the user’s profile folder Right-click it, and then choose Properties When you see a warning prompt telling you that you not have permission to access the profile folder but can take ownership, click OK In the Properties dialog box, click the Security tab, and then click Advanced In the Advanced Security Settings dialog box, click the Owner tab Under Change Owner To, click Administrators, and then select the Replace Owners On Subcontainers And Objects check box Click OK When prompted to confirm that you want to take ownership of the folder, click Yes You are prompted to close and open the folder’s Properties dialog box before you can view or change permissions Click OK three times to close all open dialog boxes In Windows Explorer, right-click the user’s profile folder and then choose Properties 10 In the Properties dialog box, click the Security tab and then click Advanced 11 In the Advanced Security Settings For dialog box, click Add 12 In the Select Users, Computers, Or Groups dialog box, type the user’s logon account name and then click Check Names If the name is shown correctly, click OK 13 In the Permissions Entry For dialog box, select This Folder, Subfolders And Files under Apply Onto and then select Allow for Full Control Click OK Caution In the Entry For dialog box, Apply These Permissions To Objects And/ Or Containers Within This Container Only is not selected by default Do not select this option If you do, permissions will not be set correctly For example, if this option is selected, a user logging on would see a specific error related to not being able to read the contents of the Application Data\Identities folder If a user sees such an error during logon, you need to open the Advanced Security Settings For dialog box, select the user name, and click Edit You then clear Apply These Permissions To Objects And/Or Containers Within This Container Only and click OK 14 In the Advanced Security Settings For dialog box, select Replace Permission Entries On All Child Objects and then click OK When prompted to confirm the action, click Yes 15 Click OK Chapter 7: Managing User Settings and Data 269 Note If the user sees a prompt indicating that the roaming profile is not available, security permissions have not been configured correctly Repeat steps through 12 and ensure that you select Replace Permission Entries On All Child Objects Limiting Profile Size and Included Folders User profiles can grow very large, and sometimes when you allow roaming you’ll want to limit their size or the folders they include A key reason for doing this is to save space on the server storing the profiles, but limiting profile size and included folders can also speed up the logon and logoff processes Don’t forget that you can also redirect some of the profile folders, such as My Documents and Application Data, so that they are connected via shares rather than moved around the network in the user’s profile Limiting the profile size in this case might not be necessary Limiting Profile Size If you limit profile size, any user who exceeds the profile limit sees this warning message when she tries to log off: “You have exceeded your profile storage space Before you can log off, you need to move some items from your profile to network or local storage.” The warning dialog box includes a list of files in her profile and provides details on her current profile size and the maximum allowed profile size The user cannot log off until she deletes files and thereby reduces the size of her profile to within the permitted limits To limit the size of user profiles for a site, domain, or OU, follow these steps: Access the GPO with which you want to work Access User Configuration\ Administrative Templates\System\User Profiles Double-click Limit Profile Size, and then select Enabled, as shown in Figure 7-5 Figure 7-5 Limiting the profile to a specific maximum size and configure notification 270 Part II: Group Policy Implementation and Scenarios If a user exceeds the profile limit and tries to log off, she sees the standard warning message To display a different warning message at logoff, type the text of the message in the Custom Message box With this policy setting enabled, the default maximum profile size is 30 MB (30,000 KB) If you redirect profile data folders, such as My Documents and Application Data, to network shares, this default value might suffice If you not redirect profile data folders, this default value will, in most cases, be much too small Either way, you should carefully consider what the profile limit should be and then use the Max Profile Size combo box to set the appropriate limit (in kilobytes) By default, global settings are stored in the Ntuser.dat file in a user’s profile; the size of the Ntuser.dat file does not count toward the user’s profile limit If you want to include the file size of the Ntuser.dat file in the profile limit, select Include Registry In File List By default, users see a warning about profile size only at logoff and are then given the opportunity to remove files from their profile If you want to notify users whenever they exceed their profile storage space, select Notify User When Profile Storage Space Is Exceeded and then use the Remind User Every X Minutes combo box to determine how often the reminder is displayed Tip Notifying users that they’ve exceeded the profile limit can be helpful, but repeatedly reminding them of this can be annoying Therefore, if you want to notify users, so infrequently, such as once every 120 minutes Click OK Limiting Folders Included in Profiles Another way to limit the user’s profile size is to exclude folders and prevent them from roaming with the user’s profile As discussed previously, folders under %SystemDrive%\ Documents and Settings\%UserName%\Local Settings not roam If you want to exclude other folders, you can specify this in policy by completing the following steps: Access the GPO you want to work with Access User Configuration\Administrative Templates\System\User Profiles Double-click Exclude Directories In Roaming Profile and then select Enabled, as shown in Figure 7-6 Chapter 7: Managing User Settings and Data 271 Figure 7-6 Preventing specific folders from roaming by entering the folder name in a semicolon-separated list Specify the folders that should not roam by entering them in the appropriate box When you specify multiple folders to exclude, they must be separated by a semicolon Always type folder names relative to the root of the profile, which is %SystemDrive%\Documents and Settings\%UserName% For example, if you want to exclude two folders on the desktop called Dailies and Old, type Desktop\Dailies;Desktop\Old Click OK Redirecting User Profile Folders and Data In many organizations, workers use or have access to more than one computer on a daily basis They might have both a portable computer and a PC in their office They might have a PC in their office and log on to other computers to development or test work They might have to log on to another user’s computer while theirs are being repaired, or they might check out a loaner before traveling to a remote office Whatever the reason, ensuring that users have consistent access to their data is essential, and this is where redirected folders come in handy Not only redirected folders make it possible for users to consistently access their data regardless of the computer they use to log on to the network, but redirected folders also make the administrator’s job easier by providing a centralized repository for user profile folders and data that can be more consistently managed and more easily backed up The key reason for this is that with redirected folders, user data resides on a central server or servers rather than on individual user computers 272 Part II: Group Policy Implementation and Scenarios Understanding Folder Redirection As discussed previously in “User Profiles and Group Policy,” redirected folders allow for seamless redirection of folders and data that would otherwise be a part of a user’s profile In the case of roaming profiles, redirected folders reduce network traffic during logon and logoff because the redirected folders not need to be retrieved or updated, which also can speed up logon and logoff So, in a sense, users and administrators get the best of both worlds Users get better access to their data, experience faster logon and logoff, and have fewer profile-related problems overall Administrators get centralized management and better control over user data, which in turn makes the data easier to backup and restore You can configure folder redirection for domain users at the domain or OU level through User Configuration settings As Figure 7-7 shows, you can redirect the following user profile folders: ■ Application Data The per-user data store for applications under %SystemDrive%\ Documents and Settings\%UserName%\Application Data rather than the percomputer data store for applications under %SystemDrive%\Documents and Settings\%UserName%\Local Settings\Application Data Many applications have per-user data stores, which can grow very large With Office, the per-user data store contains the user’s custom dictionaries, address book, and more, so it often makes sense to have a single Application Data folder for all the computers a user logs on to ■ Desktop ■ My Documents The complete contents of My Documents including all files and folders By default, all automatically created subfolders are included in this folder You have the option of excluding My Pictures, but all other subfolders of My Documents are redirected, including My Data Sources, My Deliveries, My DVDs, My eBooks, My Music, My Received Files, My Videos, My Virtual Machines, and My Web Sites The user’s complete desktop including the configuration settings, shortcuts, and any files or folders stored on the desktop Users often store files and folders on their desktop, so it often makes sense to redirect their desktop data as well as their My Documents data With a roaming profile, redirecting the desktop also ensures that any desktop shortcuts and setting preferences, such as wallpaper and the quick access toolbar, remain when a user moves from computer to computer As long as a shortcut points to a valid location, such as a file in a user’s profile folder or on a network share, it will work For example, if the user has a shortcut to a document stored in My Documents, the shortcut will work On the other hand, a shortcut to a document in a D drive folder, which is only on the user’s laptop, will not work Chapter 7: ■ Managing User Settings and Data 273 Start Menu The complete Start menu including the Programs menu and its related menu items, shortcuts pinned to the Start menu, and any applications in the Startup folder You might want to redirect the Start menu when, for example, users access applications over the network or you have identically configured workstations deployed throughout a department or office With redirection, you can be certain that users have access to the appropriate applications on their Start menus Note Unlike other types of folder redirection, Start menu redirection does not copy the contents of a user’s local Start menu Instead, users are directed to a standard Start menu that the administrator previously created and stored on a server Figure 7-7 Folder redirection No other user profile folders can be redirected This means the following user profile folders cannot be redirected: ■ NetHood ■ PrintHood ■ My Recent Documents ■ SendTo ■ Templates 274 Part II: Group Policy Implementation and Scenarios Behind the scenes, redirected folders are connected via network shares You should consider several other configuration options whenever you redirect folders: ■ Using offline files Redirected folders aren’t available for offline use by default Users can make files available offline by right-clicking a file in My Documents or another folder and selecting Make Available Offline Administrators also can configure offline file usage on the server-stored shared folder Right-click the share and then select Properties In the Properties dialog box, click the Sharing tab and then click Caching Select All Files And Programs That Users Open From The Share Will Be Automatically Available Offline, and then click OK twice For more information, see Chapter 37 in Microsoft Windows Server 2003 Inside Out ■ Using shadow copies Shadow copies of shared folders make it easier to recover previous versions of files and restore accidentally deleted files If you configure shadow copies on the file shares associated with the redirected folders, users have access to previous versions of all their data files and folders This allows them to go back and recover files on their own without an administrator’s help For more information, see Chapter 22 in Microsoft Windows Server 2003 Inside Out Configuring Folder Redirection Folder redirection is configured under User Configuration\Windows Settings\Folder Redirection There are separate policy settings for Application Data, Desktop, My Documents, and Start Menu These can be configured in several ways If you don’t want to redirect a particular folder for the selected site, domain, or OU, you can use the Not Configured setting to disable redirection of the selected folder in the site, domain, or OU whose GPO you are currently working with If you want to redirect a particular folder for a designated site, domain, or OU, you can use one of two top-level settings: ■ Basic ■ Advanced Used to redirect affected users to the same base location Used to redirect affected users according to security group membership The sections that follow discuss how these top-level settings and their related options can be used in various scenarios Using Basic Folder Redirection The Basic setting is used to redirect all users in a site, domain, or OU to the same base location Basic redirection is primarily for small organizations or organizations whose OU structure is based on physical location—for example, a small business group or department that is autonomous might want to use basic redirection An organization in which employees in an OU are in the same physical location might also want to use basic redirection Chapter 7: Managing User Settings and Data 275 To configure basic folder redirection, follow these steps: Access the GPO with which you want to work Access User Configuration\ Windows Settings\Folder Redirection The four folders that can be redirected are listed separately Right-click the folder you want to redirect, and then select Properties In the Settings list, choose Basic - Redirect Everyone’s Folder To The Same Location, as shown in Figure 7-8 Figure 7-8 Configuring basic folder redirection Under Target Folder Location, choose one of the following options: ❑ Redirect To The User’s Home Directory Applies only to redirection of a user’s My Documents Folder If you have configured the user’s home folder in her account properties, you can use this setting to redirect the My Documents folder to the same location as the home folder For example, if the user’s home drive is X, the network drive X and the My Documents folder will point to the same location (as set in the user’s domain account properties) Caution Use this setting only if the home folder has already been created If there is no home folder, this option is ignored and the folder is not redirected ❑ Create A Folder For Each User Under The Root Path Appends the user’s name to a designated network share Individual user folders then become subfolders of the designated network share For example, if you want the My Documents folder to be redirected to \\NYServer08\UserData, this 276 Part II: Group Policy Implementation and Scenarios folder will contain subfolders for each user, based on the user’s account name (%UserName%), and the user’s My Documents data will be stored in the appropriate subfolder This option is not available with redirection of the Start menu ❑ Allows you to specify a root path to a file share and folder location for each user If you not include a userspecific environment variable, all the users are redirected to the same folder If you add %UserName% to the path, you can create individual folders for each user, as in the previous option Redirect To The Following Location Note For classrooms, kiosks, and some office settings, you might want to ensure that all users in an OU or all users who are members of a particular security group have exactly the same folder In this case, you can redirect to the same folder location For example, if you want everyone logging on to a classroom computer to have the same Start menu and Desktop even though they use different logon accounts, you can this by redirecting the Start menu and Desktop to a specific folder To ensure that only administrators can make changes to the Start menu and Desktop, you can change the security on the redirected folders so that the Administrators groups has Full Control and the Authenticated Users group (or a specific security group) has Read access only ❑ Redirect To The Local User Profile Location Causes the default location of the user’s profile to be used as the location for the user data This is the default configuration if no redirection policies are enabled If you use this option, the folders are not redirected to a network share and you essentially undo folder redirection Under Root Path, enter the root path to use, as necessary If you chose Create A Folder For Each User Under The Root Path, you can enter \\NYServer08\ UserData to redirect the selected folder to a user-specific folder under \\NYServer08\UserData Any necessary folders and subfolders are created automatically by Windows the next time an affected user logs on Any currently logged-on user must then log off and log back on By default, users are granted exclusive access to their redirected data and the contents of the existing folder are moved across the network to the new location the next time they log on To change these or other configuration behaviors, click the Settings tab and then configure additional settings, as discussed in the “Configuring Setup, Removal, and Preference Settings for Redirection” section in this chapter Click OK Chapter 7: Managing User Settings and Data 277 Using Advanced Folder Redirection The Advanced setting is used to redirect user data based on security group membership If you select this option, you can set an alternative target folder location for each security group you want to configure For example, you can redirect My Documents separately for the Sales, Engineering, and Customer Service groups Sales users can have their My Documents redirected to \\NYServer12\Sales Engineering users can have their My Documents redirected to \\NYServer04\Engineering Customer Service users can have their My Documents redirected to \\NYServer02\Services As with basic redirection, the designated folder contains subfolders for each user In most cases, the advanced configuration scales better for the large enterprise because it allows you to zero in on security groups within sites, domains, or OUs Thus rather than assigning a single location for all users within an OU, you can assign each security group within an OU a separate location However, keep in mind that the group policy you are working with applies only to user accounts that are in the container for which you are configuring Group Policy So if you set a redirection policy for a group that isn’t defined in the site, domain, or OU you are working with, folder redirection is not applied To configure advanced redirection of user profiles, follow these steps: Access the GPO with which you want to work Access User Configuration\ Windows Settings\Folder Redirection The four folders that can be redirected are listed separately Right-click the folder you want to redirect, and then select Properties In the Settings list, choose Advanced - Specify Locations For Various User Groups, as shown in Figure 7-9 The Target tab is updated so that you can configure redirection settings by security group membership Figure 7-9 Configuring targeting for individual security groups within a site, domain, or OU 328 Part II: Group Policy Implementation and Scenarios ■ Automatic removal Using Software Installation policy, you can automatically remove, or uninstall, an application when the user or computer is no longer subject to the GPO that originally installed the application For example, if a user gets Microsoft Excel installed on his machine by virtue of being located within the Finance OU within an Active Directory domain, you can specify that if his job changes and he moves into the Marketing OU, Excel will automatically be removed during the next foreground Group Policy processing cycle Getting the Necessary Windows Installer File You’ll find that just about every new software application has a msi package file that can be used to install and uninstall the application When a msi package file is included with an application, it is referred to as a native Windows Installer file Using a native Windows Installer file to deploy software through Group Policy is the easiest deployment technique to use, but you can also create your own installer file To create a Windows Installer file, you first need a third-party Windows Installer packaging tool, such as WISE for Windows Installer from Wise Solutions, Inc The steps you follow to create a msi package differ depending on the tool you use, but the basic steps are as follows: Start with a clean installation of each operating system to which you plan to deploy the software For example, if you plan to deploy the software to Windows XP Professional, start a new installation of Windows XP Professional on a computer and not install any other application software After the operating system is installed, use a software packaging tool to create a snapshot of the computer You must take this snapshot before you install the application software Install the application software on the computer In most cases, you will perform a standard installation of the software Be sure to select the install options that will offer the best support and configuration for your users After the application is installed, optimize the application configuration You can create or remove application shortcuts, customize toolbars, set default options, and so on Run the application at least once in case there are components that install only after startup Use your chosen software packaging tool to create a second snapshot of the computer During this process, you will create the Windows Installer file Repeat this procedure for each operating system to which you plan to deploy the software If you want to install to both Windows 2000 and Windows XP Professional, you will usually need two separate Windows Installer files Once you have the necessary installer files, you can use policy to distribute the software throughout your organization Chapter 9: Deploying and Maintaining Software Through Group Policy 329 Deploying the Software Using a Windows Installer File Once you have your Windows Installer file and have copied all the necessary files to a network share, you can configure software installation through Group Policy As discussed in “Creating Software Deployment GPOs,” in most cases you should create a new GPO, configure Software Installation policy, and then link the GPO to the appropriate sites, domains, or OUs to deploy the software To configure Software Installation policy to deploy your software, complete the following steps: Access Software Installation in Group Policy For a per-computer software deployment, access Computer Configuration\Software Settings\Software Installation For a per-user software deployment, access User Configuration\ Software Settings\Software Installation Right-click Software Installation and choose New, Package In the Open dialog box, type the path to the network share where your package is located or use the options provided to navigate to the package and select it Caution If you are delivering the package from a network share, you must always enter the UNC path to that share when defining the package in policy Generally speaking don’t use local paths For example, if you enter the path c:\packages\office2003\pro.msi in policy because the package is on the server’s C drive, the client that is processing that policy will look for the package on its own C drive rather than on the server Click Open If for some reason the network path cannot be verified, you’ll see a warning message asking you whether you want to continue If you click Yes, the path you entered will be used If you click No, you will exit the Software Installation deployment process and will have to start over Caution Once you click Open, there is no way to change the installation path for the software package This means if you select the wrong path or need to modify the path later, you must delete and re-create the software package In the Deploy Software dialog box (Figure 9-3), you’ll see the Published, Assigned, and Advanced options Select Published to publish the application without modifications; select Assigned to assign it without modifications Select Advanced to deploy the application using advanced configuration options, as discussed in the “Configuring Advanced and Global Software Installation Options” section in this chapter 330 Part II: Group Policy Implementation and Scenarios Note Global defaults can affect whether the Deploy Software dialog box is displayed If the dialog box isn’t displayed, a default deployment option is set For more information, see “Setting Global Deployment Defaults” later in this chapter Figure 9-3 Selecting the basic deployment option Once the policy is configured, the application will be deployed to all computers or users as appropriate By default, per-computer software packages are made available when a computer starts up and per-user software packages are made available when a user logs on As discussed in Chapter under “Refreshing Group Policy Manually,” you can also use the Gpupdate command-line utility to force restart and logoff Deploying Software with Non–Windows Installer Packages To deploy software using a non–Windows Installer package file, you must create a special text-based file called a Zero Administration Package (ZAP) file Once you have the necessary ZAP file, you can configure the software for deployment through Group Policy However, this approach is limited and does not provide any of the benefits of a managed application—such as privilege escalation, life-cycle management, and automatic removal Specifically, you can perform only user-based publishing, which means the program will be listed as an available application in the Add Or Remove Programs utility and user’s will be able to select the application for installation from there If you include information about an application’s file extensions, you also get a limited install-on-first-use capability Other than that, that’s the extent of what you can with non–Windows Installer package files The installation of the application runs in the normal installation file and with the user’s normal permissions This means that although you can pass the installation file optional parameters, you cannot customize the installation You cannot, for example, perform an installation with elevated permissions, so a user might need local Administrator privileges to install the application In addition, the selfrepair, upgrade, and patching benefits available with Windows Installer files are no longer available Chapter 9: Deploying and Maintaining Software Through Group Policy 331 Note Because of the limitations of ZAP files, these files are best used for deploying applications that you will not need to upgrade or patch The only way to upgrade or patch software deployed using ZAP is to remove the existing software through policy and then use policy to redeploy a completely new version of the software Creating the ZAP File A ZAP file takes the form of a standard Windows initialization file, with a section header and a set of key, value pairs The file can be created in a standard text editor, such as Notepad, and must be saved with the zap extension so Software Installation policy can recognize it ZAP files must contain the following sections and keys, at minimum, to be valid: [Application] FriendlyName="ApplicationName" SetupCommand="\\Servername\Sharename\Applicationinstaller.exe" /Parameter where ApplicationName is the name that will be displayed in Add Or Remove Programs, \\Servername\Sharename\Applicationinstall.exe is the complete path to the application’s installation file on a network share, and Parameter is a setup parameter you want to pass to the application’s installation file To see how this would look with an actual application, consider the following example: [Application] FriendlyName="Microsoft Visio 2003" SetupCommand="\\cpandl.com\dfsroot\packages\Visio 2003\setup.exe" /unattend This example calls Setup.exe from a domain DFS root share called packages We also pass an /unattend switch to allow the application to be deployed in an unattended fashion Note that this switch is setup-package independent Your application packages might support different switches to provide an unattended setup Note You should consider several caveats when setting the installation path If the path to the setup command contains spaces or long filenames, it must be enclosed in quotation marks Also note that referencing drive letters within the SetupCommand path causes the application deployment to fail The FriendlyName and SetupCommand values represent the minimum information needed in a ZAP file to properly deploy an application A set of optional key, value pairs can provide additional information within Add Or Remove Programs Specifically, the following three keys can provide additional information about the application: DisplayVersion = VersionNumberToDisplay Publisher = SoftwarePublisher URL = SoftwarePublishersURL 332 Part II: Group Policy Implementation and Scenarios where VersionNumberToDisplay is a software revision or version number you want to display in Add Or Remove Programs, SoftwarePublisher is the software manufacturer, and SoftwarePublishersURL is the URL for the software manufacturer’s Web site Here is an example: DisplayVersion = 11.0 Publisher = Microsoft Corporation URL = http://www.microsoft.com/office The following additional section and key, value pair let give you some limited install-onfirst-use capability by associating a file extension with the application being published: [ext] ext= where ext is the extension you want to associate with the application being published In the following example, the file extension vsd is referenced within the section called [ext]: [ext] vsd= If a user who has had this application published via a ZAP file opens a vsd file, the application is installed from the path specified in the SetupCommand key However, because ZAP file–based deployment provides no privilege escalation, the user must have sufficient rights on her machine to be able to successfully run the application setup Listing 9-1 shows a complete listing of a ZAP file based on the previous examples Listing 9-1 Sample ZAP File Including Required and Optional Values [Application] FriendlyName="Microsoft Visio 2003" SetupCommand="\\cpandl.com\dfsroot\packages\Visio 2003\setup.exe" /unattend DisplayVersion = 11.0 Publisher = Microsoft Corporation URL = http://www.microsoft.com/office [ext] vsd= Deploying the Software Using a ZAP File Once you have your ZAP file and have copied all the necessary files to a network share, you can configure software installation through Group Policy As discussed previously in “Creating Software Deployment GPOs,” in most cases you should create a Chapter 9: Deploying and Maintaining Software Through Group Policy 333 new GPO, configure Software Installation policy, and then link the GPO to the appropriate sites, domains, or OUs to deploy the software To configure Software Installation policy to deploy your software, complete the following steps: Non–Windows Installer files can be installed only on a per-user basis Access Software Installation under User Configuration\Software Settings\Software Installation Right-click Software Installation and choose New, Package In the Open dialog box, type the path to the network share where your package is located or use the options provided to navigate to the package and select it Caution If you are delivering the package from a network share, you must always type the UNC path to that share when defining the package in policy Generally speaking, don’t use local paths For example, if you enter the path c:\packages\visio\viso.zap in policy because the package is on the server’s C drive, the client that is processing that policy will look for the package on its own C drive rather than on the server In the Files of Type list, select ZAW Down-Level Applications Packages (*.zap) as the file type Click Open If, for some reason, the network path cannot be verified, you’ll see a warning message asking you whether you want to continue If you click Yes, the path you entered will be used If you click No, you will exit the Software Installation deployment process and will have to start over Caution Once you click Open, there is no way to change the path to the zap file This means if you select the wrong path or need to modify the path later, you must re-create the software package In the Deploy Software dialog box, select Published to publish the application without modifications Select Advanced to deploy the application using advanced configuration options, as discussed in the next section Note Global defaults can affect whether the Deploy Software dialog box is displayed If the dialog box isn’t displayed, a default deployment option is set For more information, see the “Setting Global Deployment Defaults” section in this chapter 334 Part II: Group Policy Implementation and Scenarios Once the GPO is configured, the application will be advertised to all users as appropriate By default, Software Installation policy published to users is applied only when a user logs on As discussed in Chapter under “Refreshing Group Policy Manually,” you can use the Gpupdate command-line utility to force logoff Configuring Advanced and Global Software Installation Options After you create an assigned or published software package, you can modify the package properties using the advanced software installation options These options are also available if you choose Advanced as the package option in the Deploy Software dialog box You can use these options to: ■ View or set the general deployment properties ■ Change the deployment type and installation options ■ Define application categories for easier management when you have many deployed applications ■ Specify that the package represent an upgrade of a previously deployed application ■ Define the transform files that you want to use to customize the installation ■ Control deployment of an application by security group Another set of related options are the global software installation options, which you can use to set global options for Software Installation policy Viewing and Setting General Deployment Properties A software package’s general deployment properties are primarily for information purposes only and include: ■ Name The name of the package as it appears to the user (within Add/Remove Programs) This name comes from the ProductName property in a msi file or the FriendlyName property in a zap file The name can be modified using the general options ■ Product Information The version, publisher, language, and platform details from the package file In a zap file, version and publisher are set with the DisplayVersion and Publisher properties, respectively Once the product information is set, it cannot be modified ■ Support Information The contact name, phone number, and URL of the software manufacturer In a zap file, the URL is set with the URL property The URL can be modified using the general options Chapter 9: Deploying and Maintaining Software Through Group Policy 335 You can view and set the general options for a software package by completing the following steps: Access Software Installation under Computer Configuration\Software Settings\ Software Installation or User Configuration\Software Settings\Software Installation as appropriate for the type of package you want to work with A list of defined packages should be listed in the right pane Right-click the package you want to work with, and select Properties Name, product information, and support information details are provided on the General tab, as shown in Figure 9-4 Figure 9-4 Viewing and setting general software package options Changing the Deployment Type and Installation Options During the package creation process, you can set only the basic options that control whether an application should be published or assigned Because you’ll often need to fine-tune the configuration, you should always review the deployment type and installation options in the software package’s Properties dialog box and make any necessary changes To this, follow these steps: Access Software Installation under Computer Configuration\Software Settings\ Software Installation or User Configuration\Software Settings\Software Installation as appropriate for the type of package you want to work with Right-click the package you want to work with, and select Properties Select the Deployment tab, as shown in Figure 9-5 336 Part II: Group Policy Implementation and Scenarios Figure 9-5 Reviewing and modifying deployment type and installation options On the Deployment tab, you can choose whether to publish or assign the application Based on that choice, other options become available or unavailable The Deployment options you can choose from are: ❑ Auto-Install This Application By File Extension Activation Advertises any file extensions associated with this package for install-on-first-use deployment This option is selected by default and is not modifiable when you assign a package to a user With a published application that normally requires the user to explicitly install the application through Add/Remove Programs, enabling this option provides assignment features for file extensions associated with the application ❑ Uninstall This Application When It Falls Out Of The Scope Of Management Removes the application if it no longer applies to the user An application falls out of scope when the GPO that has deployed it is no longer processed by the user or computer If an application falls out of scope and this option is selected, the application is uninstalled during the next foreground (user logon or computer restart) processing cycle Note An application can fall out of scope for three general reasons: a user or computer object moves to a new location within the Active Directory hierarchy where the GPO no longer applies, a GPO is disabled or deleted from the current scope of management, or the GPO’s security filtering is changed such that the user or computer no longer process that GPO Chapter 9: ❑ Deploying and Maintaining Software Through Group Policy 337 Do Not Display This Package In The Add/Remove Programs Control Panel Prevents the application from appearing in Add/Remove Pro- grams This option can be useful if you want to prevent a user who has administrative access over his own machine from manually removing the policy-deployed application ❑ Install This Application At Logon Configures full installation, rather than advertisement, of an application at user logon This option is cleared by default and is not modifiable when you publish a package for users Note With large applications, full install at logon will slow down the user logon process considerably The application setup will need to be completed before the desktop is presented to the user Installation User Interface Options settings let you define whether the user sees all messages during the application installation With the default setting, Maximum, the user sees all setup screens and messages With the Basic option, the user sees only error and completion messages Some applications require you to choose the Basic option when the user initiates the installation because the user has insufficient privileges to make setup choices during the installation If you click Advanced, you get the Advanced Deployment Options dialog box (Figure 9-6), which has the following options: ❑ Ignore Language When Deploying This Package Applies when the user is running one language version of Windows and is trying to install a different language version of an application Normally this fails, but if you select this option, the application is installed anyway ❑ Allows you to deploy 32-bit x86 applications on 64-bit Windows versions using Intel IA-64 chip architecture This option applies to applications installed with either msi or zap installer files ❑ Allows you to include COM registration information within Active Directory If you choose this option, COM advertisements that are part of the application package are stored within the Active Directory Class Store, which is part of the GPC related to Software Installation policy Because the number of advertised COM components within a large package can be significant, choose this option only if you absolutely need to use COM advertisements with your deployment See Chapter 12 for more information on the Class Store Make This 32-Bit X86 Application Available To IA64 Machines Include OLE Class And Product Information 338 Part II: Group Policy Implementation and Scenarios Figure 9-6 Configuring advanced software deployment options Tip The Advanced Software Deployment Options dialog box also provides some useful diagnostic information for the package The first value provided is the Windows Installer product code, which Software Installation policy uses as a key to determine whether an application has already been installed on a computer The next value is the deployment count, which is the number of times the application has been redeployed Finally, the path to the application assignment script is shown This file is stored within the GPT portion of the GPO and holds information related to the package path and any advertisements that have been made Defining Application Categories In a large enterprise, when you use Software Installation policy to deploy many applications, you might want to define application categories to help organize the list of available applications in the Add Or Remove Programs utility If you don’t create categories and dozens of applications are available, users see the entire list of available applications, and this long list can be confusing To help reduce confusion, you might want to define application categories, such as Sales Applications, Engineering Applications, Marketing Applications, Administrative Applications, and General Use Applications Once you define the categories, they are listed in the Add Or Remove Programs dialog box (Figure 9-7) Creating and defining categories is a fairly straightforward process First you define your application categories using the global software installation defaults, which we discuss in “Setting Global Deployment Defaults.” Then you add an application to a category using Categories tab options in the related Properties dialog box Chapter 9: Figure 9-7 Deploying and Maintaining Software Through Group Policy 339 Displaying application categories in Add Or Remove Programs Adding, Modifying, and Removing Application Categories Application categories are defined using the global Software Installation defaults To define application categories, follow these steps: Access Software Installation under Computer Configuration\Software Settings\ Software Installation Note For application categories, the same global defaults are used for both per-computer and per-user Software Installation policy Right-click Software Installation and choose Properties Select the Categories tab in the Software Installation Properties dialog box, as shown in Figure 9-8 To define a new application category, click Add, type the name of the application category, and then click OK To modify an existing application category, select the category to modify and then click Modify After you change the category name, click OK To remove an application category, select the category and then click Remove 340 Part II: Group Policy Implementation and Scenarios Figure 9-8 Creating and managing application categories Adding an Application to a Category Once you’ve defined the categories you want to use in global defaults, you can add applications to these categories To add an application to a category, follow these steps: Access Software Installation under Computer Configuration\Software Settings\ Software Installation or User Configuration\Software Settings\Software Installation as appropriate for the type of package you want to work with Right-click the package you want to work with, and select Properties Select the Categories tab Select a category under Available Categories and then click Select to select and list the application If the application should be listed under additional categories, repeat this step Click OK Performing Upgrades As discussed previously, Software Installation policy provides upgrade paths for applications when you use Windows Installer packages There are two general types of upgrades: ■ Upgrades to perform a patch or install a service pack ■ Upgrades to deploy a new version of an application The sections that follow discuss both types of upgrades Keep in mind that you should thoroughly test any upgrade before deploying it You should check to make Chapter 9: Deploying and Maintaining Software Through Group Policy 341 sure the upgrade doesn’t cause conflicts or other problems with existing applications that are deployed You should also test the upgrade process to make sure it works as expected If you don’t test, you might, for example, find that you have compatibility problems or that you haven’t included all the necessary files for the upgrade Patching or Installing an Application Service Pack To patch or apply a service pack on a previously deployed application, you complete the following steps: Obtain a msi file or msp (patch) file for the application The software manufacturer should provide this If not, you must create your own, as discussed in the “Getting the Necessary Windows Installer File” section in this chapter Copy the msi or msp file and any new installation files to the folder containing the original msi file Overwrite any duplicate files if necessary Access Software Installation under Computer Configuration\Software Settings\ Software Installation or User Configuration\Software Settings\Software Installation as appropriate for the type of package you want to work with Redeploy the application Right-click the related package and then select All Tasks, Redeploy Application The application is redeployed to all users and computers as appropriate for the GPO you are working with For more information on how redeployment works, see the “Redeploying Applications” section in this chapter Keep in mind that only applications that have Windows Installer files can be upgraded in this way If your application uses a zap file instead, you need to complete the following steps: Remove the existing application (as described in the “Removing Deployed Applications” section in this chapter) Create a completely new package for the application (as described in the “Creating the ZAP File” section in this chapter) Deploy the new package (as described in the “Deploying the Software Using a ZAP File” section in this chapter) Deploying a New Version of an Application In a software package’s Properties dialog box, you can establish or verify upgrade relationships between the application you are deploying and previously deployed applications This feature allows you to perform enforced upgrades of previously installed applications For example, if you previously published Office XP, you can deploy Office 2003 and create an upgrade relationship between the Office XP deployment and the Office 2003 deployment Any users or computers with 342 Part II: Group Policy Implementation and Scenarios Office XP automatically get Office 2003 installed during the next foreground policy processing cycle Tip If you deploy two applications within a single GPO that have identical Windows Installer product code SKU numbers (the third and fourth digits in the product code), the second application deployed is automatically deployed with an upgrade relationship to the first For example, if you deploy Office XP and then Office 2003, Office 2003 is deployed automatically as an upgrade to Office XP To upgrade a previously deployed application to a new version, you complete the following steps: Create a new software package to deploy the new version of the application (as discussed in the “Deploying the Software Using a Windows Installer File” section in this chapter) Access Software Installation under Computer Configuration\Software Settings\ Software Installation or User Configuration\Software Settings\Software Installation as appropriate for the type of package you want to work with Right-click the related package, and then select Properties If the package is already configured to upgrade an existing package, the package will be listed under Packages That This Package Will Upgrade, as shown in Figure 9-9 Select the package, and click Remove to remove this relationship Figure 9-9 Configuring upgrade relationships To establish an upgrade relationship between the application you are deploying and the previously deployed application, click Add on the Upgrades tab This opens the Add Upgrade Package dialog box (Figure 9-10) ... that the group policy you are working with applies only to user accounts that are in the container for which you are configuring Group Policy So if you set a redirection policy for a group that... domain, or organizational unit (OU) Once you tell Group Policy about the logo files, the files become part of Group Policy and are stored within Group Policy Because the files are imported before... deploying Microsoft Office 2003 using Group Policy, see the Office 2003 Resource Kit or http://www .microsoft. com/resources/ documentation/office/2003/all/reskit/en-us/depc04.mspx 317 318 Part II: Group