Assigning and Publishing Software

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Because you can publish software for users, assign software to users, or assign software to computers, you can establish a workable combination of those three options to meet your software management goals. The following is a comparison of these methods.

Publishing software for users

Typically, after you publish a software package to users in a site, domain, or OU, the users can use Add or Remove Programs to install the software. An exception is when you publish an application in a new GPO, and you must simultaneously link the GPO to the users in a site, domain, or OU. If you link a GPO and deploy the software at the same time, you must refresh the Group Policy before the application appears in Add or Remove Programs. Additionally, the application can be installed by opening an associated document if the application is deployed to do that (if Auto-Install is selected).

The user can remove the software, and then later choose to reinstall it, by using Add or Remove Programs.

Assigning software to users

There are three methods for assigning software: assign to users on-demand, assign to users, or assign to computers.


  • Check software license agreements before you assign applications to users because assigning software can result in an application being installed on multiple computers. Issues might occur, regardless of whether you use the policy setting option Remove the application if it falls out of the scope of management.

Assigning software to be available on demand   After you assign a software package to users in a site, domain, or OU, the software is advertised on the desktop. The application becomes available to the user the next time the user logs on (if application’s GPO applies to that user). The application is fully installed by the user from the Start menu, from Add or Remove Programs, from a desktop shortcut, or by opening a document (on demand) that has a file name extension that is associated with the application.

The user can remove the software, and then later choose to reinstall it as they did previously. By using Group Policy, you make sure that assigned applications that are available on-demand are available, regardless of whether users remove them, and that the applications are available again the next time the user logs on or starts the computer.

Assigning software to users   After you assign a software package to users in a site, domain, or OU, you can use the Install this application at logon option to install the whole application the next time the computer starts, or after the user logs off and then logs on again. The application is also immediately available in Add or Remove Programs.

The user can remove the software, and then later choose to reinstall it as they did previously.


  • Some applications that you have published might not appear in Add or Remove Programs in a domain that has multiple domain controllers until the changes have replicated to all domain controllers in the domain.

Assigning software to computers   After you assign a software package to computers in a site, domain, or OU, the software is installed the next time the computer restarts or the user logs on.

Only the local or network administrator can remove the software, though a user can repair the software.


  • To avoid installation errors and reduce network traffic, do not assign or publish a Windows Installer package more than once in the same GPO.

Assigning Software to Users and Computers

Assign software to users or computers for either of the following reasons:

  • To make a particular application available to all users of one computer, assign that application to the computer.

  • To make mission-critical software available to users or computers at all times, assign the application to the users or computers.


  • If you assign many applications instead of publishing them, you can cause congestion between client computers and the software distribution point servers. Use DFS to distribute the server load among multiple servers.

Assigning standard software

Typically, packages that you assign to users or computers are essential. Therefore, the applications on your standard software list are good candidates for assignment to users or computers. The easiest method for assigning standard software to a large number of users in your organization is to apply the GPO at the highest level of the domain hierarchy, as shown in the following example.

Assigning Software to Computers and Users Example

It is standard for all users at a corporation to receive virus-protection software and e-mail. The software administrator creates two GPOs and assigns the two software packages. She assigns the virus protection software to all computers, and the e-mail application to all users. After the GPOs are created, she applies the GPOs at the domain level of the Active Directory structure so that all members in the domain receive the software assignments.

It is recommended that you assign virus-scanning software to all computers in the organization because this software must function for every user of each computer. Some organizations consider e-mail application to be mission-critical, but some e-mail packages are very large. Installing large packages over an already congested or slow network link can negatively affect network bandwidth. If this is not an issue for you, and you want all users to have e-mail, you can assign the e-mail package to everyone in the organization. After you configure software assignment in the appropriate GPO, apply the GPO that is associated with standard software applications to the root domain.

To prepare for assignment of software to users and computers

  1. Determine the size of each application. Very large applications might not be appropriate for automatic installation. For example, a product such as Office 2000 can take a long time to install. Make sure that your deployment plan includes an analysis of how much traffic your network can handle.

  2. Assign applications only to the users who require them.

  3. Determine whether you can include some of the common applications in a Remote Installation Protocol preparation (RIPrep) image, or other automated image technology. RIPrep can reduce software installation time during the logon process or at initial selection of the application. RIPrep and Remote Installation Services (RIS) are excellent methods for creating these images. For more information about RIPrep and RIS, see "Designing RIS Installations" in Automating and Customizing Installations of this kit.

Configuring a complete application Installation

When you assign an application to a user, you have the option to install the whole application the first time the user logs on after deployment, or you can configure to install the application on demand. You can select the auto-install by file activation option on the Deployment tab in the Properties dialog box. Right-click the managed software in Group Policy, and then click Properties.

You can configure the installation to occur the first time the user logs on after deployment. This method ensures that the user has the whole application available when it is needed. However, this method also requires a longer logon time while the application is being installed. Without this method, a portable-computer user who is not connected to the network might discover that an essential feature is not available. By using this method, you provide a less confusing experience for users who might think that an application is installed, only to find that clicking the shortcut triggers an installation.

For applications that you can customize, such as Office XP, you can make all components of the application available at installation. This approach to installation is a Windows Installer authoring function, not a Group Policy software deployment function. For example, the author of the installation package can select to make features such as a spelling checker available on first installation. This increases the installation time somewhat, but it also provides all needed features on first use. Performing a complete application installation is a good method to use for mobile users who are not connected to the network most of the time. When the user requires the spelling checker, it is already installed on the computer.


  • By default, Group Policy allows you to configure a user-assigned application that has a staggered, on-demand installation. By using Windows Server 2003, you can turn off the default installation and install the entire application at once. This mirrors the behavior of computer-assigned application installation.

Enabling users to install applications and features on demand

When you configure Group Policy so that users can install only the features (such as the spelling checker) or components of a product as they use them, you avoid wasting client disk space to store features that users do not need or use. Additionally, this method helps to prevent network congestion that is caused by users downloading large applications. The core application is not installed until the user activates the application on the computer by one of three ways: selecting the application from the Start menu, clicking s shortcut on the Desktop, or by activating a document of a file type that is associated with the application. After the core application is installed, the user can install features of the product as needed.

The following installation process is typical for user-assigned applications intended for on-demand applications:

  1. The user logs on to a computer running Windows 2000 (or a later version of the operating system).

  2. The application management service process advertises applications on the user’s desktop or on the Start menu.

  3. The user invokes the needed software from either the Desktop or the Start menu, or by selecting a file that has a file name extension for an assigned application. This action starts Windows Installer.

  4. Windows Installer installs the requested Windows Installer package from the distribution point.

  5. Windows Explorer starts the application.

Publishing Software for Users

The benefit of publishing software, instead of assigning it, is that it requires less management when change occurs in the Active Directory structure. Typically, you publish applications that are nonessential for the users. When you publish software for a user, it does not initially appear to be installed on the computer. There is no Windows Installer advertisement information about the software on the computer in the registry, on the desktop, or on Start menu as a shortcut. On an as-needed basis, the user installs the published software by using Add or Remove Programs in Control Panel. Users can also install the published application by selecting a file that has a file name extension for an application.

To publish software for users in your organization

  1. Determine the size of each application. Some products take a long time to install, so consider if it is more appropriate to assign the application, instead.

  2. Determine whether you can publish certain applications to all users (without restriction) in your administrative area.

  3. Create a table of applications. This table includes the locations from which users can install the application files.

  4. Publish all .zap files. You cannot assign .zap files.

When you publish applications, users do not need to remember server share names or locations for installing software. In Windows XP and Windows Server 2003, when a user clicks Add or Remove Programs in Control Panel, and then clicks Add New Programs, a list appears that provides available software categories. In these specific categories, the user can see a list of the software that is published for that user name. Users can install only the software you have published for them.


  • Because users might be accustomed to installing software from a designated share on your network, it is important that you educate users about installing and removing published software by using Add or Remove Programs in Control Panel**.**

For more information about using Add or Remove Programs to install software on a client computer, see "Making Software Available to Users and Computers" later in this chapter. For more information about creating software categories, see "Categorizing Applications" later in this chapter.


  • Files that have a .zap file name extension can only be published in Add or Remove Programs.

After the user installs a published application, it behaves like an assigned application until the user removes the application by using Add or Remove Programs, or until the software administrator removes the application.

Publishing an Application Example

Employees of an organization use a custom application that includes a corporate organizational chart and an employee locator map. This application is not essential to everyone because it does not directly affect the job they perform at the company. However, employees can save time locating coworkers by using the application. Therefore, most employees will use it occasionally.

The software administrators decided to publish this application for all users and to apply the GPO at the highest level of the domain hierarchy. A user who wants to gain access to this application can install it by using Add or Remove Programs in Control Panel.

Publishing Software for Large and Small Groups of Users

If you have a lightly managed IT environment, you can publish an application to all users at the domain-level without restriction, and then specify a category for the application, such as Sales. In this situation, you can expect users in the Sales department to install the software in the Sales category. However, this does not prevent unauthorized users from installing the software from the Sales category.

To prevent users from installing certain software, you can either assign software to the targets that need it instead of publishing it, or you can create different GPOs. You can also turn on loopback processing, a Group Policy setting that allows you to configure user-based policy settings in a GPO so that those settings are applied regardless of who logs on to the computer. For more information about using loopback processing, see "Designing a Group Policy Infrastructure" in this book.

To publish an application to smaller groups at lower levels of the domain infrastructure, plan for more administrative management than for small groups of users at a higher level. This kind of fine-tuning requires more GPOs or filtering.