User Group Policy – Software Installation

Microsoft Group Policy – Software Installation

With software installation policies you get the best of both worlds; the ability to roll-out programs like Microsoft Word, Access and Excel to local machines, while retaining central control of all such desktop applications.  For example, you could assign a program to a group of secretaries, but when they get a promotion, you could assign them additional accountancy software.  This avoids running programs across the network and saves you running around to each machine in the building every time a setting needs changing.

While it is possible to assign software to computers, I prefer to assign packages here in the User Configuration section of the Windows Server 2003 GPO (Group Policy Object).

Software Group Policy Topics


Getting Started – Assign your .msi package

As a pre-requisite you must obtain the programme in .MSI format.  Then you share out the folder containing that .MSI package.Group Policy - Assign Software

To create the policy, launch the GPMC in Windows Server 2003, then right-click ‘Software Installation’, choose, New, Package, and simply browse for the UNC name of the server \\ alan\Cosmo 1.

Trap 1: Instead of choosing a UNC path (correct), you use a local path.  To see what I mean, check the picture opposite and compare Cosmo (correct – UNC) with MSN Messenger (wrong – e:\download)

When you configure your package Microsoft give you two options, Assign (best) or Publish.  With Assign, an icon appears on the Start Menu and when the user clicks, the program is installed.  Contrast that with Publish, where the user would have to go to the Control Panel, Add or Remove Programs before they could install the program.   Now, you can see that ‘Assign’ is easy for the users, whereas ‘Publish’ has many more steps.  Also ‘Assign’ is able to take advantage of elevated rights, so that ordinary users in effect can install the programs that you assign to them.

Guy Recommends: Permissions Analyzer – Free Active Directory ToolFree Permissions Analyzer for Active Directory

I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource.  Give this permissions monitor a try – it’s free!

Download Permissions Analyser – Free Active Directory Tool

Product life-cycle

With a Software Installation Policy, the real savings come when you analyse the full life cycle of a software package.  When you first install a new program you cannot believe that one day it will be out of date, you also put to the back of your mind that it may need a service pack.  Providing you assign software through Group Policies, upgrade and removal are just a matter of a few clicks.  You certainly do not have to visit every desktop.  Unfortunately, you cannot remove or upgrade software that was installed manually, out side the scope of the Group Policy.  So the message is, plan for the software life-cycle and use this smart software installation technology.Group Policy - Software Upgraded

Software Group Policy – Upgrades

If you need to update your software package, right-click, properties and note the selection of tabs opposite.

Trap 2: Be careful when you right-click and select properties.  The blue and white box called ‘Software Installation’ has its own properties; these are in addition to each .MSI package which has its own properties.  My message is, be careful where you right-click.

When the time comes to upgrade, go back to the server and add the .MSI to the network share and select ‘Assign’, just as you did with the first package.  Now comes the crucial step, select the Upgrades tab and add the name of the second program.  Make sure that you get the logic right, you do not want to replace the new program with the old one!


There are options for fine-tuning your deployment strategy.  I particularly like the ability to remove the application when the user move out of scope, for instance, if they move to a new OU.


These are only used if you are publishing.  Guy says avoid publishing!

Summary Group Policy Software Installation

By assigning software you can distribute packages to users, or to computers and potentially anyone who logs on.  If you assign the program to a user, the operating system install the executable when the user logs on to that machine

If you assign the program to a computer, then it is available to all users who log on to the computer. When a user first runs the program, the installation completes.

Group Policy ebook Windows 2003Download my ‘Master Group Policies’ ebook only $6.25

The extra features you get in your eBook include: Spreadsheet with over 850 policies.  Printer friendly version over Word A4 pages in Word.

See more security Group Policies

Group Policies   •Troubleshooting Group Policies   •Security Options

Group Policy Overview  • Group Policy Tactics  •Security Restricted Groups 

Security System Services   • Security Audit   •Security Event Log

If you like this page then please share it with your friends