Using Group Policy to deploy software to select computers

Assigning software through Group Policy is traditionally thought of as a pretty simple and inexpensive way of automating the deployment of software to entire groups of computers. These groups are defined in the Active Directory (AD) and are more accurately called an Organizational Unit (OU). While it does not require the purchase of any additional software, there are a few downfalls to using Group Policy software deployment:

  • the installation files have to come as a .MSI file (well, maybe not)
  • patching software typically requires a complete uninstall and re-install of the patched version
  • It is traditionally and by default thought that deployed software will be installed on all computers in an OU, which can play havoc on licensing

These downfalls are not that bad. You have to take extra steps and extra consideration if you do not receive the setup files in the form of a .MSI, but there are more and more tools coming available to deal with that.

The uninstall and re-install of software occurs at startup. If you are using any power management (Intel’s AMT or Wake-On-LAN) you can have the machines boot up hours before users arrive to have them updated and all the software installed.

Regarding installing software on an entire OU, the rest of this article shall hopefully guide you past the default settings and so you can specify which computers or security groups receive the software (remaining inline with your licenses).

Best practice would state to create a new Group Policy Object for each software installation you want to do. That will provide the greatest granularity for control while remaining easiest to understand. The GPO could be at the top-level OU since we’ll be specifying computers manually, it doesn’t really matter, but there’s no need to go any higher than necessary, but this all depends on your Active Directory structure. If the AD is configured to be a flat organization, you don’t really have a choice. If you have a tiered structure and only a sub-“folder” of ‘Employee Computers’ needs the software, you can just create the GPO at the ‘Employee Computers’ level.

Since a GPO takes immediate effect (plus the interval for your computers to refresh their policy), after creating it, you should unlink it so you can make changes and not worry about it affecting computers until it is finalized.

Assign the software to the OU

Create a new Group Policy at the OU level of the computers you want to install this software upon.

Edit the Policy with the Group Policy Object Editor. Right-click on Computer Configuration -> Software Settings -> Software installation and choose New package.
Browse to the .msi modified in the above steps and choose to open.
Choose an Advanced deployment method.
Under Deployment tab, check Uninstall this application when it falls out of the scope of management. (Optional, but it provides the ability to uninstall software from computers by simply removing them from those allowed to have the software.)
Hit Ok and close the Group Policy Object Editor.

Specify the Computers within the OU

In the Group Policy Management Console, choose the new GPO that you created from the tree in the left-pane.

In the right-pane, under the Scope tab and the section of Security Filtering:

Remove Authenticated Users.

  • Highlight ‘Authenticated Users’ (it is added by default to newly created GPOs).
  • Hit the Remove button.

Add computers or groups of computers that you want to receive this software.

  • Hit the Add button and a new window will pop-up.

  • Hit the ‘Object Types…’ button to specify Computers if it isn’t already in the list with User, Group, or Built-in security principal. Check computers and you can uncheck the rest if you’d prefer.

  • Next list the computers by their machine name that should receive this software. (They must have an entry in the Active Directory and be joined to the domain for this to work.)

From the screenshot two above you can see that I have added LIBSTFSYS05 to receive this Group Policy. For this example, that computer will be the only computer able to apply this Group Policy.

  • It may be easier to create Global Security groups in your Active Directory based on the software. Then make the computers members of the individuals groups and add the groups to the Group Policies instead of the individual machines. This will all depend on your environment. If you have a lab structure where all the machines get the same software, you could create the group once and then only have one entry for each group policy. Make the computers members of the security group and then add the group to the GPO.

As soon as you have all the computers or groups added, enable the link. As machines are restarted they will receive the newly assigned software if they are in the Security Filtering list.

One other thing that might be of interest regarding filtering group policy to select computers is right below the Security filtering on the same page. If you maximize the window, you’ll be able to see WMI Filtering. WMI filtering allows you to choose computers based on their attributes, like version of Windows, timezone, and many other qualities. One word of caution is that Windows 2000 machines will completely ignore WMI filtering and apply the group policy regardless.

You can read more about WMI Filtering from Microsoft’s TechNet site.