Group Policy is great tool which will make your life easier – managing client machines (and servers) through group policy is something you should definitely master.
What is Group Policy? With group policy you can centrally manage your clients (and server) and deploy changes to client PCs from one place.
Short example – you have 100 PCs in your domain. You want every client to use Firefox browser, but you don’t have it installed.
You can do it two ways – manually install it on 100 PCs by going from one machine to another, or deploy it via Group Policy centrally.
Firefox is just an example, you can do the same with settings, policies, software, shortcuts, printers…
Really powerful tool for client management in a domain.
Ok, since this is hands-on series, not theory lesson, lets get to work.
I will show you two scenarios for Group Policy, and this is a first one.
We will deploy software via Group Policy.
Before we begin
We will deploy software from our domain controller, and that is ServerBasicsAD machine.
For this scenario, we will do everything from ServerBasicsAD machine.
First we will create Shared Folder on ServerBasicsAD machine. This is where we will have our software installations repository.
This is part which should be nice to have of file server, not on your domain controller. But, since this is a lab, and we don’t have infinite resources, we will do it on a domain controller. In production, have your installations on file server, and let domain controller be only domain controller.
I created folder named “SoftDeployment” in C:\SoftDeployment. Right click on created folder and select Properties
Go to tab Sharing and Select “Advanced Sharing” (also note the path of the file share – \SERVERBASICSAD\SoftDeployment)
Select Share this folder, and then click on Permissions
Remove Everyone that is displayed by default in Share Permissions – click on Add and add Development and Sales groups (Server Basics 07 is now coming very handy, we created those groups there) and grant these groups Read Permission. also Add Administrators and grant them Read,Change rights.
This is how Share Permissions should look like after you are done. Select Apply, OK.(In some cases you will have to enable Change permission also for a group to which you mean to push app, since some apps wouldn’t deploy without this permission)
Confirm everything with Apply, OK and stay on SoftDeployment folder Properties.
Go to Security tab in Properties of SoftDeployment folder.
Now select Edit and click on Add. Repeat the same procedore as you did above – Add Sales and Development groups and grant them – Read & Execute, List folder contents and Read right. You can also add Administrators and grant them Modify rights.
This is how your Security tab should look in the end. Now we are done – Apply | Ok, close everything.
We will now connect to ServerBasicsCL1 client machine and try to access share we created now on ServerBasicsAD.
If we enter \\serverbasicsad\SoftDeployment into File Explorer on ServerBasicsCL1 machine, we should see Firefox and Notepad installations in there. Works fine, client is able to access files on server.
Check also if everything works from ServerBasicsCL2 machine, you should get same result.
Now, back to the ServerBasicsAD and SoftDeployment folder.
I will download Firefox browser and Notepad++. Every package you deploy via Group Policy should be .msi installer. So, you should search for Firefox msi package and Notepad++ msi install package. Both are available from manufacturers. Exe files will not work.
I will install Notepad++ to the Development group users (ServerBasicsCL1, Ana P is logged) and Firefox to the Sales group (ServerBasicsCL2, Stephan D is logged onto PC).
Group Policy Configuration
Ok, this part will be done on ServerBasicsAD – our domain controller and active directory (domain) host.
Go to Start | Windows Administrative Tools | select Group Policy Management
This is what you will get. What now?
Before we start, let me explain few things, so if you are starting now for the first time, you can start correctly, and by the book.
Too many times I saw that all the group policy – policies, are under Default Domain Policy, or under one created group policy object (GPO).
Create separate object for each rule you wish to enforce. For example – we will name this rule SoftDeployment, if I wished to deploy printers through Group Policy, I would create separate policy object named Printers… If I wished to create Firewall rules for domain, I would create Firewall policy object…
You get the idea – one policy object for one rule (or similar rules).
Also, in Server Basics 07 we learned how to create Organizational Units on our domain. This is coming handy now nicely. First we easily created share rules for folders with domain groups we created, and now in Group Policy you can see Development and Sales OUs in main tree.
This way we will easily deploy various things separately for both departments according to their needs.
You can really combine things how you see them fit in active directory and Group Policy.
Now, back to our task.
We will first deploy Notepad++ to Development.
Right click on Development and select “Create a GPO in this domain, and Link it here…
I will name the object “SoftDeployment”, starter GPO will stay None, and I will confirm with OK
After you confirmed with OK, you will see object created under Development OU. In the right screen under “Linked Group Policy Objects” tab you will also see created object. Right click on it and select Edit.
Under User Configuration expand Policies | Select Software Settings | Software installation | right click in right part of the screen and select New | Packageā¦
New window will open and you will have to navigate to your .msi installation package. I will install Notepad++ for Development.
It is extremely important that you navigate to your installation package through network path. So navigate to \\serverbasicsad\SoftDeployment and select Notepad++ .msi package.
If you select this package on local disk (C:\SoftDeployment) this will not work.
You need to select package via network path.
Select Assigned – OK
This is how it should look like after you confirmed with OK.
Right click on created package and select Properties.
Go to Deployment tab and under Deployment options select “Install this application at logon”. Leave everything as it is, confirm with Apply, OK.
Back on Group Policy Management, if you select SoftDeployment object we created under Development, and click on Settings tab in the right part of screen, you can see that we created this rule.
We will now reboot ServerBasicsAD server for a good measure (you don’t have to do it in production, we are doing this just because we can).
Now, lets switch to the Development client machine – ServerBasicsCL1
You would now need to reboot your ServerBasicsCL1 and after Ana P logs in again, application should be available.
You don’t need to restart client PC to refresh Group Policy, you can also start command prompt (as Administrator) and type in
gpupdate /force
That should refresh your Group Policy and applyPolicy changes to client PC.
Also, this deployment wasn’t without issues. You need to make sure that .msi installer developer of the application offers will work with Group Policy, if it won’t you will need to modify installation. So this can be hit or miss. Also, apps wanted Change permissions for a group (Development here for example) to be enabled.
After tinkering with package, this worked. In the end I installed different Notepad++ package from different source.
This is package that worked.
For a Sales PC (ServerBasicsCL2) I deployed Firefox.
The principal of creation of the policy object is the same, only this time I named policy FirefoxDeployment and put it into Sales OU in Group Policy since I want to enforce it on Sales OU PCs.
The Firefox package worked out of the box after first reboot of the client.
It also required Change permission for Sales group on SoftDeployment share.
Ok, so in the end we successfully deployed Notepad++ to our Development client and Firefox to Sales client.
This can be tricky deployment, some packages will work out of the box, some won’t but if you put extra effort you can deploy many of your apps via Group Policy.
Conclusion
There will be a part two of Group Policy, I will show you a bit easier deployment – we will deploy some changes to the local security policy on our client PCs.
Here is the video version of this article