Mark,
Deploying software via GPO is a wonderful way to do things. There are a lot
of benefits to doing it in this manner. There are the obvious benefits and
then a couple of not so obvious benefits. One of those is the
'self-healing' aspect of deployment via GPO. Say that your user base has
more than just read permissions to the Program Files folder on their local
computer. Let's just say that both Betty and Joe decide that they need some
more space on their respective hard drives ( you know, for that important
stuff like music! ) so they delete winword.exe and excel.exe. Okay, now Word
and Excel do not work. WRONG! By deploying office via GPO there is a lot
of intelligence built-in ( aka IntelliMirror ). It is smart enough to know
that there is a problem ( that winword.exe and excel.exe are missing ) and
knows what to do ( that it needs to shoot down those two files to the
affected computers ).
The big picture on how to do this is to have an Administrative Installation
Point for your applications. Let's look at Adobe Acrobat Reader 6.0.1 and
Office 2000 ( the same process works for Office XP and Office 2003 ).
First and foremost you need an .msi file. We will bypass the steps needed
for Adobe. Let's just presume with the needed folder ( which contains the
..msi file and several others ). So, you have the 'Adobe' folder. You need
to share it ( I like to hide the folders used to deploy applications via GPO
so I would share it as 'Adobe$' ) and make sure that you use the appropriate
permissions ( both on the share permissions and the NTFS permissions ). I
like to use the Domain Admins and Domain Users / Domain Computers for the
Share permissions ( either the Domain Users if you are deploying it to the
user configuration side or the Domain Computers if you are deploying it to
the computer configuration side ). Domain Admins get Full Control and
Domain Users / Domain Computers get simply Read. On the NTFS I use the same
groups. Domain Admins get Full Control again while the Domain Users /
Domain Computers get Read, Read and Execute and List Folder Contents.
Now that you have the folder shared you need to organize things in your
Active Directory. Since you can not deploy applications to Containers (
well, just go with that for a moment ) you will need to create an
Organizational Unit and then move the account objects into that OU. Let's
say that you are going to deploy Adobe 6.0.1 to the user configuration side
of things. So, you would need to create an OU and move all of your user
account objects from the default USERS container to the OU that you just
created. This will have no affect on your users logging on or anything
else. Now, right click that OU and select Properties. Go over to the tab
called Group Policy ( going from memory here so it might be Group Policies )
and click on NEW... Give it a friendly name ( like Adobe Acrobat 6.0.1 or
All Users get Adobe or whatever makes sense to you ). There! You have just
created a GPO. Huh? Well, technically, you have. It is currently empty -
but you have created a GPO. You now need to click on the Edit button. You
would then set things up. Go to the Users Configuration and Software
Settings and then Software Installation and right click that and select New
| Package....
You then simply tell AD where everything is. Please do not forget to use
the UNC path when telling AD where adobe.msi is located. It would look
something like \\fileserver01\adobe$\adobe.msi. You can not use mapped
network drives for this.
You have a couple of choices. You can either publish the application or you
can assign the application. If you publish the application then the users
need to go into Add/Remove Programs and select this from the New
Applications tab. If you assign it then the software is installed
automagically. There is also the Advanced tab. Does not necessarily apply
here. You would use this is you were going to use a .mst file ( aka
Transforms file ). You would do this for Office 2000. Now, you can publish
or assign because this is to the user side. You have only one choice -
assign - when you deploy applications to the computer side. But that should
make sense, right?
Now, for Office 2000 ( or whatever version you are using, the method is
pretty much exactly the same ) you would first have to do an Administrative
Installation. You accomplish this by running setup.exe /a. You would have
already created the shared folder ( I like to call it OFF2K and share it as
OFF2K$ ). Enter in the Company Name and the ProductID ( you do this once
and only once...right here! ). Once the installation is finished you have
your AIS. Now, if necessary create the OU ( remember that user account
objects and computer account objects can only reside in one OU - or one
Container - at a time and that it is a horrible idea to be moving these
account objects around so that one GPO or another is affecting
them.....horrible horrible horrible idea. You need to create the OU
structure and stick with it. You can use Security Group Filtering if
necessary! But that is usually - but not always - an indication of a bad OU
design. ). Then, simply do the same thing that you did for Adobe.
Now, when does the stuff that you configured in the GPOs actually happen?
Generally speaking, when the user logs off and then back on ( assuming that
things were set up in the user configuration ) or when the computer is
rebooted ( assuming that things were set up in the computer configuration ).
Another tip: when creating the GPOs ( well, better said when editing the
created but still blank GPO ) I like to disable it. Actually, you would
disable both sides. This way if it is taking a bit of time for you to
configure all the settings needed you will not have people getting part of a
GPO. Well, doesn't that contradict what I just wrote directly above? No,
it does not. Once you have finished editing the GPO then you can go back
and uncheck the 'Disable' checkboxes. Should you disable the computer side
if you are configuring this for the user configuration side of things?
Well, Microsoft used to say 'No' but I think that they are starting to
recommend that you disable the side that is not being used. So, you might
want to keep both sides unchecked and after a little time has passed ( and
you become more familiar with this whole process ) then go and check the
Computer side ( so that it is disabled ).
What about this transforms file? Well, this little .mst file will do a lot
of things for you. First off, you need to install the Office 2000 Resource
Kit. If you were installing Office XP then you would need to install the
Office XP Resource Kit. This allows you to create the .mst files. You have
to guide it to the Office2000 .msi file ( so,
\\fileserver01\off2k$\data1.msi ) and then you go through a bunch of screens
that allow you to include certain applications from Office 2000 - so, you
could create one .mst file that installs Word, Excel and Outlook and create
another .mst file that installs Word Access and Outlook and yet a third .mst
file that installs Word, Excel PowerPoint and Outlook ) and you can control
how things show up on the desktop ( so, you could create an Office 2000
'folder' so that when the user clicks on Start in the lower left corner
there is an Office 2000 entry at the top that holds all of the shortcuts AS
WELL AS removing the shortcuts that show up in Start | Programs - if you so
choose ). It is really nice. Now, you do need to make sure that you use
Advanced Assign or Advanced Publish in order to make use of the .mst files.
I also suggest that you create all of the .mst files that you think that you
will need before you actually deploy Office 2000. I am not sure if this is
a real requirement. I have just not had much luck with the .mst files
created after having deployed Office 2000. Maybe I am just not doing
something correctly. That does seem to be a bit dumb. I have not tried
this in a good while so maybe I am remembering incorrectly.
Also, when deploying Office 2000 ( or an version ) do not forget to make use
of the Office 2000 application-specific .adm files. There are a lot of
settings that you can control with these .adm files that are really
interesting and take a lot of the work out of setting up Office for your
user base.
Shoot, this is already really long and I am just scratching the surface.
Let's call it a day with this one so that you can absorb this.
HTH,
Cary
