NIST's guidance for a Zero Trust Architecture

Active Directory Policies

HOW TO DEPLOY EXE FILES USING GPO

Group Policy is an hierarchical infrastructure in Microsoft’s Active Directory which provides a centralized means for a network or system administrators to configure Windows servers and desktops. A virtual collection of policies constitute a Group Policy Object (GPO) and it is always identified by a Globally Unique Identifier (GUID). For a selected scope of management (SOM), the group policy objects editor extension in Microsoft Management Console (MMC) allows you to configure computers and users. One such feature within the group policy is the unattended and targetted deployment of assigned and published applications. The group policy settings are bifurcated into computer-related policies and user-related policies. It should be noted that the computer-related policies supersede user-related policies. 

METHODS OF SOFTWARE DEPLOYMENT

Deploying software to Windows servers, computers, and users can be automated in many ways. Some solutions other than Windows Group Policy demand re-packaging the setup files and need complex server infrastructure to deploy the services. So, many organizations don’t resort to such complexity, because Windows Group Policy offers better options. Although Group Policy Software Installation (GPSI) feature has its shortcomings, it does have sufficient capability that meets the requirement of many organizations. 

GPSI is used to provide two types of software deployment – 1. Publishing and 2. Assigningapplications. Publishing application means that the users can choose to install or ignore and it can be found in the Add / Remove Programs section in the control panel. However, Assigning application means the software needs to be deployed regardless of the choice of the users.

Note: GPSI feature is not available on local Group Policy Object. So, you would require Active Directory Installation to use this feature.

Let’s delve right into the deployment of applications. Some of the best ways to deploy an application or program in the Active Directory are:

  1. Deployment through Group policy by converting .exe files to .msi
  2. Deploying .exe using GPOs by pointing batch files in the login script 
  3. Configuring GPO to install software to specific users

DEPLOYMENT THROUGH GROUP POLICY

Prerequisites:

  1. Packaging utility to convert .exe file to .msi file. There are many open source utilities available for download on the internet. 
  2. Shared network folder in the network with read access to all computers and users at the least.
  3. A Group Policy Object associated with the Organizational Unit (OU) intended for software deployment.

After having the prerequisites in place, follow the steps below to successfully deploy application through group policy.

  1. Convert the Executable file (.exe) file to Microsoft Installation file (.msi) file using  any packaging utility from the internet.
  2. Navigate to the shared folder in your network and create a new folder.
  3. Rename the new folder to your convenience and right-click on the new folder. Click on the share folderoption or share option from the menu toolbar.
  4. Input “Everyone” in the field and click on add. 
  5. Set the permission level of the entry ‘Everyone‘ to ‘Reader‘ and click on the share button.
  6. Take note of the location of the shared folder (UNC path) in your network.
  7. Now, double click on your shared folder, create a new folder inside it and rename it with the name of the software.
  8. Double-click on this folder and paste the .msi file inside this folder. 
  9. Then, switch to your Domain Controller (DC) server and open ‘Server Manager‘.
  10. In the navigation tree on the left side, open ‘features’, then ‘Group Policy Management’, then your forest folder. Navigate to your desired domain and expand your intended Organizational Unit. 
  11. Now right-click on the OU and click on ‘Create a GPO in the domain, and link it here…’ 
  12. Name your GPO for your reference and click on OK. Make sure the created GPO is listed in the folder tree of Group Policy Objects.
  13. Right click on the GPO and click on ‘Edit’. A Group Policy Management Editor window will open.
  14. On the left side, expand ‘Computer Configuration’, then ‘Policies’, then ‘Software Settings’, then click on ‘Software Installation’.
  15. Now, on the right side of the window, right click on the blank space, expand ‘New’ and click on ‘Package’.
  16. Now browse to the shared folder where your application package exists. Open the folder and click on the .msi file and then click on ‘Open’ button.
  17. Select the ‘Assigned’ option and hit OK.
  18. Having created a GPO, it should be updated via command prompt. Open Command Prompt and enter the “gpupdate /force” (without quotes). This will run an update in the Active Directory.

DEPLOYING .EXE BY ACTIVE DIRECTORY GPO

The GPO based Software Installation supports only .msi files and not .exe files. Although often organizations don’t always require .exe files to be deployed as it is, there would be some cases where it is inevitable, like when the software provider does not provide for .msi versions and third-part package conversion from .exe to .msi do not work. For such cases, the following method will be useful.

CREATING BATCH FILE

  1. Follow the same steps as above from 2 to 8, to place your .exe file inside a shared folder in your network.
  2. Open Notepad.
  3. Enter the UNC path noted earlier, here. It will be like: \\server name\software name\software.exe(Note: the server name, software name and the name of the software with the extension .exe change as per your organization naming convention)
  4. Now the save the file as filename.bat (without quotes and replace the filename with name of your reference).

If you require an even more secure method, you can enable the folder to be copied onto the respective temporary folder of the users and run the file locally on every machine. For such cases, the batch command in the notepad will be like the following.

copy \\server name\software name\software.exe %temp%

%temp% software.exe

ADDING THE BATCH FILE IN THE AD GPO

  1. From the Domain Controller (DC) server, open ‘Group Policy Management Editor’ window from ‘Windows Administrative Tools’.
  2. Create a new GPO. Follow steps 10 to 13 in the above method to do so.
  3. Now a script has to be enabled to run the software either from network source or local source. It can be enabled through two configurations – ‘Computer Configuration’ or ‘User Configuration’. It depends upon the application whose deployment options are through ‘Login’ script or ‘Startup’ script
  4. For Users to be configured, expand ‘User Configuration’, then ‘Policies’, then ‘Windows Settings’, then ‘Scripts (logon/logoff)
    1. Double click on ‘Logon’ under the name category to open Logon Properties window.
    2. Under the window, click on ‘Add’ and hit ‘Browse’.
    3. Now, copy the batch file (.bat) created earlier, here.
    4. Now select the file in this window, click ‘Open’ and then hit ‘OK’.
    5. In the Logon Properties window, hit ‘Apply’ and then ‘OK’.
  5. For Computers to be configured, expand ‘Computer Configuration’, then ‘Policies’, then ‘Windows Settings’, then ‘Scripts (Startup/Shutdown)
    1. Double click on ‘Startup’ under the name category to open Startup Properties window.
    2. Under the window, click on ‘Add’ and hit ‘Browse’.
    3. Now, copy the batch file (.bat) created earlier, here.
    4. Now select the file in this window, click ‘Open’ and then hit ‘OK’.
    5. In the Startup Properties window, hit ‘Apply’ and then ‘OK’.

Lastly, apply the GPO on the intended domain or OU. Then update the GPO by following the step 18 from the previous method.

TESTING

Once the GPO update is completed, logon to one of your client machines and perform a hard reboot. Note: The deployment will be effective only when the client computers are hard rebooted. The application should show up after the booting process. 

TROUBLESHOOTING TIPS

Listed below are some of the troubleshooting tips that would come handy while performing software installation via GPO.

  1. Enable startup messages to be displayed while loading.

Expand ‘Computer Configuration’, then ‘Policies’, then ‘Administrative Templates’, then ‘System’ and enable ‘Display highly detailed status messages’.

This will show the user what is happening while the screen is loading, in this case, ‘Applying software installation settings’.

  1. Make sure the computer waits for the network to be connected while startup or logon

Expand ‘Computer Configuration’, then ‘Policies’, then ‘Administrative Templates’, then ‘System’, then ‘Logon’ and enable ‘Always wait for the network at computer startup and logon’.

When the installation is supposed to run and if the machine is not connected with the network, the installation will fail.That’s why it is advised to enable this GPO setting. 

  1. Verify GPO is enabled

Sometimes the issue might be the GPO settings not getting applied. To verify it, run the proprietary ‘gpresult /r’ command from the command prompt (as an administrator). This will list all the GPO settings that are applied. 

To display GPO settings applied to all users and computers, use “gpresult /r” command (without quotes).

To display GPO applied to a specific user, use “gpresult /r /scope:user”  command (without quotes).

To display GPO applied to a specific computer, use “gpresult /r /scope:computer” command(without quotes).

To display GPO applied to a remote computer, use “gpresult /s pc2 /r” command (without quotes).

To generate and HTML report, use “gpresult /h c:\reports.html” command (without quotes).

To export as a text file, use “gpresult /r >c:\results.txt” command (without quotes).

  1. Check event logs in case of failure

In case the installation failed on any computer, open the system event logs and check the log against any error. This will provide details and reasons for the failure of the installation. 

  1. Try testing with smaller .msi files

The problem may arise even due to faulty .msi files. So, try deploying smaller .msi files (applications like 7z) through the GPO and verify. Deploying software through GPO is simpler in nature, although Group Policy itself can be hard to manage and monitor. It is mainly because of its limited capabilities and features when it comes to deploying software and application packages. The above methods should provide some wider means to deployment of software to computers and users in Active Directory. Happy deployment!

Related posts
Active Directory Policies

How to demote a Domain Controller: A step-by-step guide

Active Directory Policies

How to map network drives with Group Policy

Active Directory Policies

Group Policy Management Console (GPMC) – Part II

Active Directory Policies

Fine-Grained Password Policy: A Step-by-Step Configuration Guide

×

There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from IAMRoundup.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.