Deploying Applications Using Group Policy

Adam Jones - Systems Engineer

Automation is on the mind of every IT admin. It makes our jobs easier and our end users happy. One extremely useful form of automation on a network is the ability to deploy software packages using Group Policy.

Recently a customer came to us with a request to push Adobe Flash Player to all of their end user’s workstations. This particular software package is perfect for installing through GPO because it is available in a Windows Installer format (which is required for publishing in a GPO) and it is a quick installation process.

The first step is to create a share on your server that contains the MSI package required for installation. Since the GPO can be linked to OUs that contain computer objects OR user objects you will need to determine the object type to receive the policy. This is important because if you decide to link this policy to a computer container, you must ensure that you configure the security tab of your shared folder to include the security group that contains the COMPUTER accounts slated for the installation. For instance, give the “Domain Computers” group Read and Execute permissions on the folder. Now that your share is properly configured you can build your GPO.

From the Group Policy Editor, navigate to the container that holds your computer objects OU and create and link a new policy. Be sure to give this policy a meaningful name such as “Sales App Deployment” or something similarly clever. Now open your policy by choosing “Edit” and navigate to Computer Configuration > Software Settings > Software Installation. Right click in the blank space and choose New > Package. Browse to the UNC path of the network share that was created above and select your MSI package. Since we are deploying this application to computer objects you will only be given the option to “assign” the package. This means that once the policy has been updated on the target computers, the software package will be assigned (installed) on the next reboot.

If you happen to choose a user group for your deployment and you have configured the policy in the “User Configuration” section you will be presented with options to assign or publish. If you select the “publish” option, the application will be available for the users to install by going to Control Panel > Add Remove Programs in XP or Programs and Features in Windows Vista and Windows 7. Additionally, they will be given the option to install the application when opening an associated file type. If you select the “assign” option this means that the application will be installed during the next user logon process. 

I hope you will consider using Group Policy the next time you need to deploy an application across your network. It can be a real time saver!