Best practices for Group Policy Software Installation

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Best practices for Group Policy Software Installation

Understand the difference between Group Policy Software Installation and Systems Management Server.

  • For simple software installation and deployment scenarios, Group Policy provides Group Policy Software Installation. For more information, see Group Policy Software Installation. For software installation scenarios where scheduling, inventory, reporting, status, and support for installation across a wide area network (WAN) is required, use Systems Management Server (SMS).

Specify application categories for your organization.

  • Using categories makes it easier for users to find an application in Add or Remove Programs in Control Panel. You can define application categories, such as Sales Applications, Accounting Applications, and so on. For more information, see Specify categories for applications to be managed.

Verify that Windows Installer packages are correctly transformed before they are published or assigned.

  • Transforms are applied to packages at the time of assignment or publication. Transforms (.mst files) are customizations that are applied to Windows Installer packages. A transform is applied at the time of assignment or publication, not at the time of installation. In practical terms, this means that you should verify that the Modifications tab in the package Properties dialog box is set up the way that you want it before you click OK. If you neglect to do this, and you assign or publish a transformed package before you have completely configured it, you can remove the software and republish or reassign it, or you can upgrade the software with a completely transformed version. For more information, see Remove a managed application, Upgrade an application, and Add or remove modifications for an application package.

Assign or publish just once per Group Policy object.

  • It is recommended that a Windows Installer package be used to assign an application or to publish an application no more than once in the same Group Policy object. For example, if you assign Microsoft Office to the computers that are affected by a Group Policy object, do not assign or publish it to the users who are affected by the Group Policy object. For more information, see Assign an application and Publish an application.

Take advantage of authoring tools.

  • Developers who are familiar with the files, registry entries, and other requirements that are necessary for an application to work properly can author native Windows Installer packages by using tools that are available from various software vendors.

Repackage existing software.

  • You can use commercially available tools to create Windows Installer packages for software that does not include natively authored .msi files. These tools work by comparing a computer's state before and after installation. For best results, install them on a computer that is free of other application software (clean installation).

Assign or publish applications at a high level in the Active Directory hierarchy.

  • Because Group Policy settings apply by default to child Active Directory containers, it is efficient to assign or publish applications by linking a Group Policy object to a parent organizational unit or domain. Use security descriptors (ACEs) on the Group Policy object for finer control over who receives the software. For more information, see Filter the scope of Group Policy according to security group membership.

Use required, rather than optional, upgrades.

  • For the correct upgrade procedures, both required and optional, see Upgrade an application.

  • The Upgrades tab for a package in Group Policy Software Installation has a Required upgrade for existing packages check box. It is recommended that you select this check box. If two users use the application on one computer, and one user upgrades the application and the other does not, both versions of the application exist on the computer. Some applications do not support this configuration.

  • Authenticated Users need the Read and Apply Group Policy ACE to be able to install applications from the software distribution point.

  • Administrators need Full Control to manage software.

Use Group Policy Software Installation properties for widely scoped control.

  • By using Group Policy Software Installation, you save administrative keystrokes when you assign or publish a large number of packages with similar properties in a single Group Policy object. For example, when all of the software is published and it all comes from the same software distribution point. For specific procedures, see Set Options for Group Policy Software Installation.

Use Windows Installer package properties for fine control.