admin adventure

the ongoing struggle: man vs machine

Category Archives: Software Deployment

Deploy and Customise Google Chrome

This guide will lead you through the basic steps to deploy Google Chrome with group policy. It is based on v38, which at the time of writing is the current release. To follow this guide, you should already be familiar with Group Policy in general.

As with any task, first clearly define the objectives you want to achieve before starting. Your objectives will no doubt be different, so this guide should be a general reference only.

Objectives

1. Install Google Chrome 64bit edition for all users of selected Windows 7 PCs. For our purpose the computers are all in the active directory organisational unit “Computers – Windows 7”.

2. Set home page to a specific address.

3. Reduce automatic update frequency.

 

 

Task 1 – Obtain the appropriate Files

  1. Download the 64bit msi package of the enterprise Google chrome that Google helpfully provide. It can be located at https://www.google.com/intl/en/chrome/business/browser/admin/
  2. Download the adm and admx group policy templates from https://support.google.com/chrome/a/answer/187202
  3. Download the Google Update adm group policy template from https://support.google.com/installer/answer/146164

 

Task 2 – Copy MSI file to the deployment share.

  1. Copy the downloaded .msi file to a deployment share that client computers have read access to.

 

Task 3 – Create a new GPO to deploy the software and settings.

  1. Open group policy management console on a domain controller, and create a new policy. Give it a descriptive name that will still retain some meaning to you and your colleagues in 6 months time.
  2. Edit the newly created policy (Right-click>Edit) and navigate to the Computer Configuration>Policies>Software Settings>Software Installation node.
     image
  3. In the right-hand pane, right click and select New>Package
  4. Navigate to the package file you earlier placed in the deployment share, and click ok.
  5. Select Advanced for the deployment method and click Ok.
  6. Enter a name for the package. I like to put both the architecture and version number in the package name, but it is up to you really. Note that this is the name that will appear in the installed program list on the client computers. I like to put the word “Deployed” in the name to distinguish the group policy installs from the manual installs.
    image
  7. No further options are required to be set, however depending on your environment, you may wish to set some further options. I always set “Ignore language when deploying this package” which is under Deployment>advanced. Once done, click ok.
  8. The install will now install to any PC’s that are covered by the policy you created. If you are testing, you may wish to run the command “gpupdate /force /boot” on your test PC to force an immediate deployment.
  9. Close the Group Policy Management Editor before continuing.

 

Task 4 – Customise via Group Policy

Configure Homepage

In my case I need to import the .admx template files into my Windows 2008 R2 central store. Your group policy setup may be different. The below paths are for my environment, and your environment will be different.

  1. Extract the policy templates archive.
  2. Copy Chrome.admx to D:\ADDS\Sysvol\sysvol\xxxxxx\Policies\PolicyDefinitions\
  3. Copy the language specific adml files for your required languages to the central store. i.e. the EN-GB files to D:\ADDS\Sysvol\sysvol\xxxxxx\Policies\PolicyDefinitions\EN-GB\
  4. Open Group Policy Management Editor and edit the policy you created earlier. When you expand Policies>Administrative Templates>Google in both computer configuration and User Configuration, you will see the new settings that can be applied.
    image
  5. In our case, we want to change the default home page, and not allow the user to override this. Navigate to the “Computer Configuration>Policies>Administrative Templates>Google>Google Chrome>Home page and set the”Configure Home Page URL” setting.
    image
    Note that is we had desired users have the ability to override, and wanted to set a default, we could have configured the same setting under the “Google Chrome – Default Settings (users can override)” node.
    image 
  6. I will also set the “Use New Tab Page as Homepage” option to disabled, to prevent users from changing the homepage behaviour.
  7. This will now load the homepage you have just configured when the home button is clicked. The default startup action for Chrome 38 doesn’t open the homepage, but a new tab. Navigate to Google Chrome>Startup pages and change both the action on startup (Open a list of URLs) and URLs to open on startup settings.

 

Configure Update Frequency

Chrome will be updated via the Google Update software that is installed alongside Chrome, even for users without admin rights. To manage this software, we need to use the Google update adm template that we downloaded earlier.

  1. Copy the Google update adm template file to a location on the domain controller.
  2. Within the GPME, right-click the administrative templates node, and select add/remove templates.
    image
  3. Add in the Google update adm template, and click close.
  4. You now have the ability to manage Google update.
    image
  5. Navigate to the “Google update>preferences” node, and set the auto-update check period override to the desired setting. I have set the number of minutes to 10080 to enable a weekly update.

Now you should have a working setup. I would recommend you review the documents located below in the resources section, and the other available group policy settings to identify further opportunities to set default settings as appropriate.

 

Resources

Chrome for Work
https://www.google.com/intl/en/chrome/business/browser/admin/

Set up Chrome for Work
https://support.google.com/chrome/a/answer/188446?hl=en

Set chrome policies for devices
https://support.google.com/chrome/a/answer/187202

Control Auto-updates
https://support.google.com/chrome/a/answer/187207

Google Update for Enterprise
https://support.google.com/installer/answer/146164

Deploy Civica Authority Desktop Client using Group Policy

In this post I will explain the steps I take to deploy the Civica Authority Desktop Client software to my mixed 32bit and 64bit environment. The below process will detail how to deploy an upgrade to a client that has previously been deployed, however the same process can be used for a new deployment of the client with the only change being in the group policy upgrade tab in Step 4.

As the Authority Desktop Client is frequently updated as part of the Authority patching process, it is important to distribute the new client to all your Windows PCs. Doing this manually is generally too much of a burden, and group policy can be used to reduce this burden.

It should be noted that if the Authority Client is going to be deployed through Group Policy, it should not be included in any system images that you are using to distribute your SOE, as this can cause problems when trying to upgrade to new versions.

My goals are:

  • Deploy the Authority Desktop Client version 6.4.43.1 using a single GPO. Since I have previously deployed prior versions of the client to my PCs I will use my existing GPO titled “AuthorityClientDeploy”.
  • Prior versions of the client will be removed before the new version is installed.

 

Step 1 – Obtain the Appropriate Files

 

After you have installed a new patch (or anytime after issuing the update_auth6_repo command at the authority command prompt), you will have the latest client files on your Authority Server. As we are on Authority v6.4 the path to the required files is D:\civica\download\6.4\AuthorityMSIClient_6.4.zip

Contained within this zip file are 5 files.

  • authmsi Test Plan.pdf – This is a testing plan recommended by Civica prior to certifying the new client for use in your environment.
  • authority.ini – This is the default configuration for the client installer. You should have been supplied with a customised version of this file for your specific site from Civica when you first installed Authority. This file should be compared with your customised version, so that any new features can be incorporated into your customised version.
  • authority_64_installation_notes_windows_client.pdf – Well worth reading.
  • Authority-6.4.43.1.msi – The file we will deploy
  • CrystalReports.msi – The crystal reports runtime for Authority, which is not updated as frequently as the Authority Desktop Client. I use a separate GPO to deploy this.

 

Step 2 – Copy Files to Deployment Share

Copy both the Authority-6.4.43.1.msi and your sites customised authority.ini files to a deployment share that client computers have read access to.

 

Step 3 – Generate the Transform (MST) file to Customise the Install

 

  1. Open up the Authority-6.4.43.1.msi  file in Orca
  2. Click Transform>New Transform
  3. Scroll down the left hand tables window and click the “Property” Table.
  4. In the right hand window, edit the values for the properties you wish to change.

image

For my environment, we are using the Quick Address Pro validation so the following 6 values relating to QAS have been set.

  • REG_QAS_SERVER: yourqasserver.domain.local
  • REG_QAS_PORT: 2120
  • QAS_SERVER: yourqasserver.domain.local
  • QAS_PORT: 2120
  • QAS_VERSION: 6.12
  • QAS_BY_INI: N (This setting allows the QAS settings to be set in an ini file rather than in the mst file we are creating. We set this to N as we have defined the settings within the mst file).

If you are not using QAS, you can leave these values at defaults.

5. We also need to set an INSTALLLEVEL value. This controls which components of the Authority MSI are installed. This property will not be available, and we will need to create it.

6. Right-click in the Property Detail Pane, and select “Add Row”

image

7. Create the new property with a Property name of INSTALLLEVEL and set a value. Available choices are 1, 3 and 999. I have set this value to 3. Click OK.

image

Which install level you select can be determined by going to the Feature node in the left hand tree, and looking at what the components are and deciding what you need to install. This information is also available from the installation notes document on page 32.

(Note: that an alternative method of selecting what items to install, the ADDLOCAL Property is detailed on page 32 of the release notes and provides a way to individually select features to install. However as the only level 1 feature that is optional for Authority is the Genero Desktop Client, and generally this is desired, the INSTALLLEVEL property is the easier solution).

image

Determine which install level you need based on the components installed at each level.

Install level 1 only installs level 1 components
Install level 3 installs level 1 and 3 components – Adds QuickAddress_Runtime
Install level 999 installs all components – Adds Terminal_Server_DLL

8. When you have finished making changes, go to Transform>Generate Transform

9. Save the transform file in the same location as the MSI file on your deployment share. I include the version number in the MST filename, and I make a new mst file every time I deploy a new version of the client, even though the settings are usually identical.

10. Close Orca

Step 4 – Add the Package and Transform to Group Policy

1. Open Group Policy Management Console, right-click the existing GPO and select Edit.

2. Under Computer Configuration>Software Settings>Software installation, Right click on the blank right-hand window and select New>Package.

3. Select the Authority-6.4.43.1.msi file. I like to ensure that a UNC path to the package is used, but it is up to you.

4. Select the “Advanced” option and click OK. The package properties window will appear.

5. Change the name of the package to distinguish that it is 32bit. I used “Authority Desktop Client 6.4.43.1 x32 – Deployed”.

6. Click the Deployment Tab>Advanced and check the option “Make this 32-bit X86 application available to Win64 machines”. This is because we need this 32bit package to install on the 64bit PCs in our environment. On the same screen, I usually check “Ignore language when deploying this package”. This prevents differences between US English and Australian English from preventing the install from occurring, but this is a personal preference.

7. On the upgrades tab, clear anything that has been added to the list, then click add, and select all versions of the client previously distributed by Group Policy that you wish to upgrade. I choose the option to uninstall the previous versions, rather than attempt an upgrade.

image

9. Click the modifications tab and add in the MST file you generated with ORCA.

10. Click OK.

Congratulations, you are now deploying Authority Desktop Client

Free Microsoft eBooks

 

Today I received a notification from the System Administrators Guild of Australia (SAGE-AU) forum that Microsoft was releasing a large number of their Microsoft Press Books for free, and I thought I would share this with the wider community.

Microsoft’s Director or Partner Experience, Eric Ligman, has posted links to a large number of free eBooks and resources for Developers and System Administrators.

I encourage everyone to check it out.

http://blogs.msdn.com/b/mssmallbiz/archive/2012/07/27/large-collection-of-free-microsoft-ebooks-for-you-including-sharepoint-visual-studio-windows-phone-windows-8-office-365-office-2010-sql-server-2012-azure-and-more.aspx

Java JRE Deployment via Group Policy

In this post I will detail my experience deploying Java Runtime Environment 7 update 4 to my mixed 32bit and 64bit environment.

My goals are:

  • Deploy 32bit and 64bit Java via a single GPO. Since I have previously deployed Java 6 update 29 to my PCs I will use my existing GPO titled “Oracle Java Runtime Env”.
  • Prior versions of Java will be removed before the new version is installed.

Step 1 – Obtain the Appropriate Files

This step is very important, as java is often bundled with additional software that we don’t wish to deploy in our enterprise environment.

Instead of going to java.com to download java, use the oracle site, as these files are suited to enterprise deployment.

I used http://www.oracle.com/technetwork/java/javase/downloads/index.html

Make sure you download both the 32bit and 64bit offline versions of the JRE.

http://download.oracle.com/otn-pub/java/jdk/7u4-b22/jre-7u4-windows-i586.exe

http://download.oracle.com/otn-pub/java/jdk/7u4-b22/jre-7u4-windows-x64.exe

 

Step 2 – Extract the MSI

To extract the MSI package from the exe file downloaded above:-

Double-click the exe file and leave the installation window open.

Whilst the window is still open, go to the following location and copy the files to your staging area.

c:\users\%username%\AppData\LocalLow\Sun\Java\jre1.7.0_04\

Repeat for the 64bit exe file. The path will be

c:\users\%username%\AppData\LocalLow\Sun\Java\jre1.7.0_04_x64\

Step 3 – Generate the Transform (MST) file to Customise the Install

Auto Update is a great idea for home users, but can cause problems or annoyance for enterprises.

In enterprise networks, your everyday users should not be Administrators of their local machines. Administrator privileges are required to install java updates. java will helpfully advise your users that an update is available, and prompt them to install it. Users will be unable to install the update and may be regularly prompted regarding it.

This is annoying to your users, and you will quickly begin to see helpdesk requests to update java. The better solution is to deploy updates through Group Policy, once you have tested the update in your environment. Consequently, you will want to disable the auto update function.

We will also make changes to the MSI to configure Java with settings appropriate to our environment.

Java_settings

  1. Open up the MSI file in Orca
  2. Click Transform>New Transform
  3. Scroll down the left hand tables window and click the “Property” Table.
  4. In the right hand window, edit the values for the properties you wish to change.

orca java

5. When you have finished making changes, go to Transform>Generate Transform
6. Save the transform file in the same location as the MSI file.
7. Close Orca
8. Repeat for the 64bit MSI file.

 

Step 4 – Add the Package and Transform to Group Policy

1. Open Group Policy Management Console, right-click the existing GPO and select Edit.
2. Under Computer Configuration>Software Settings>Software installation, Right click on the blank right-hand window and select New>Package.
3. Select the 32-bit package. I like to ensure that a UNC path to the package is used, but it is up to you.
4. Select the “Advanced” option and click OK. The package properties window will appear.
5. Change the name of the package to distinguish that it is 32bit. I used “Oracle Java 7 u4 x32 – Deployed”.
6. Click the Deployment Tab>Advanced and check the option “Make this 32-bit X86 application available to Win64 machines”. This is because both the 32 and 64bit editions will be installed on 64bit PCs. In this way, the user can use either the 32 or 64bit editions of IE and still have full java functionality.
7. On the same screen, I usually check “Ignore language when deploying this package”. This prevents differences between US English and Australian English from preventing the install from occurring, but this is a personal preference.
8. On the upgrades tab, clear anything that has been added to the list, then click add, and select all versions of java previously distributed by Group Policy that you wish to upgrade. I choose the option to uninstall the previous versions, rather than attempt an upgrade.

javaupgrades

9. Click the modifications tab and add in the MST file you generated with ORCA.
10. Click OK.

Repeat the above process from step 4 part d for the 64bit package with the following changes.

  • Make sure you name the package to distinguish that it’s 64bit
  • Do not check the option to “Make this 32-bit X86 application available to Win64 machines”.  It will not be available.
  • On the upgrades tab, the 32bit version may be listed. Group Policy has incorrectly assumed that we wish to upgrade the 32bit package with the 64bit package. This is not the case. Remove any entries on the upgrade tab, and add entries only applicable to 64bit upgrades.

Note: Group Policy is intelligent enough to not deploy the 64bit package to 32bit machines.

Congratulations, you are now deploying Java

Useful Links

Java download location
http://www.oracle.com/technetwork/java/javase/downloads/index.html

Adobe Flash Player 11 Deployment via Group Policy

As of version 11, adobe have released both 32bit and 64bit versions of flash player. This will be a relief to many as IE 64-bit will now be supported.

Now we will need to deploy Flash 11 via GPO. Our goals are

  • Deploy 32bit and 64bit Flash Player using a single GPO. The version I am deploying is 11.2.202.235.
  • This GPO will be dedicated to flash player deployment, so title it appropriately.
  • Prior versions of flash player will be removed before the new version is installed.

 

Step 1 – Sign the Enterprise Distribution Agreement and Obtain the Appropriate Files

Adobe require you to register to redistribute the software. Registration only takes a couple of minutes, however it can take up to 3 business days to be approved.

http://www.adobe.com/products/players/fpsh_distribution1.html

Once approved, and email will be sent with download links for the enterprise distribution files. Make sure that you download both 32bit and 64bit msi files.

I ended up with the following files

install_flash_player_11_active_x_32bit

install_flash_player_11_active_x_64bit

Step 2 – Define the Strategy

Unlike some of the other software that I deploy, I am not going to modify the msi file with orca, nor create a transform file. This is because prior versions of the package have been known to break if modified.

Flash 11 comes in both 32 and 64 bit variants.

The 32bit variant is only designed for 32bit operating systems. It is not to be installed on 64bit operating systems.

The 64bit variant is only designed for 64bit operating systems. This package includes both 32 and 64 bit versions of flash, to allow 32 bit browsers to operate with flash support on a 64bit operating system. This package must not be installed

As we are going to be managing both 32 and 64bit clients we will need to be careful about the group policy options that we set to prevent the wrong install from occurring.

Step 3 – Setup Shared Directory.

You probably already have a network share for software deployment. If you don’t, you will need to create a share that allows the everyone group read access. Only Administrators should have higher permissions to this share.

Step 4 – Group Policy Work

If you have not deployed flash player previously, you will need to follow the below steps in their entirety to create a new GPO. If you have deployed flash player previously, and need to upgrade to a new version, treat the below as refresher, and make sure you read the upgrading section at the end of the post.

a. Create a new Group Policy Object For Flash Player by opening the Group Policy Management Console, Right-clicking on the OU you want the policy linked to, and selecting “Create and Link a GPO here”.

b. Enter a name for the GPO. Do not include version numbers in the name, as you will use this same GPO to deploy upgrades.

c. Right-click the newly created GPO and select edit. The Group Policy Object Editor Opens.

d. Under Computer Configuration>Software Settings>Software installation, Right click on the blank right-hand window and select New>Package.

e. Select the 32-bit package. I like to ensure that a UNC path to the package is used, but it is up to you.

f. Select the “Assigned” option and click OK. The new package will appear.

g. Right-Click the package and select Properties.

h. Change the name of the package to distinguish that it is 32bit. I used “Adobe Flash Player ActiveX 11.2.202.235 x32 – Deployed”

i. Click the Deployment Tab>Advanced and uncheck the option “Make this 32-bit X86 application available to Win64 machines”. We have a different package for the 64bit operating systems.

j. On the same screen, I usually check “Ignore language when deploying this package”. This prevents differences between US English and Australian English from preventing the install from occurring, but this is a personal preference.

k. Ignore the upgrades tab for now as this is the first deployment. When you deploy future versions of Flash you will need this tab. Upgrades will be covered at the end of this post. Click OK on the Advanced Deployment Options Window and the Main Properties Window.

l. Congratulations, you are now deploying Flash Player 32bit.

32_success

Repeat the above process from step 4 part d for the 64bit package with the following changes.

  • Make sure you name the package to distinguish that it’s 64bit
  • Do not check the option to “Make this 32-bit X86 application available to Win64 machines”.  It will not be available.
  • On the upgrades tab, the 32bit version may be listed. Group Policy has incorrectly assumed that we wish to upgrade the 32bit package with the 64bit package. This is not the case. Remove any entries on the upgrade tab.

Congratulations, you are now deploying the 64bit package.

Note: Group Policy is intelligent enough to not deploy the 64bit package to 32bit machines.

How to Disable Adobe Flash Auto Update settings (Optional)

Auto Update is a great idea for home users, but can cause problems or annoyance for enterprises.

In enterprise networks, your everyday users should not be Administrators of their local machines. Administrator privileges are required to install flash player updates. Flash will helpfully advise your users that an update is available, and prompt them to install it. Users will be unable to install the update and may be regularly prompted regarding it.

This is annoying to your users, and you will quickly begin to see helpdesk requests to update flash. The better solution is to deploy updates through Group Policy, once you have tested the update in your environment. Consequently, you will want to disable the auto update messages.

Adobe have provided a method to achieve this. What you need to do is place a configuration file on each machine that tells Flash to disable automatic updates.

The  required location for this file are:.

%systemroot%\System32\Macromed\Flash – 32-Bit version of Flash

%systemroot%\SysWOW64\Macromed\Flash – 64 Bit version of Flash 11

The file needs to be placed in both locations for 64bit installs, as both variants are installed.

The file is a simple text file with a line that reads

AutoUpdateDisable=1

I save this file with the file name mms.cfg in the same folder I used to store the msi files. I can then use Group Policy Preferences (Server 2008) or a startup script to copy the file to the correct destination locations.

 

Upgrading

When it comes time to update the flash player to a new version, add the new package as above, to the same GPO. On the upgrading tab, remove any entries already in the list, then click add.

Select which version/s you with to be upgraded by the new package. Be very careful that new 32bit packages upgrade the old 32bit packages, and new 64bit packages upgrade the old 64bit packages.

Remember to set the appropriate group policy options for the new packages, just as you did for the old packages.

Usefull Links

Flash Player Configure Auto Update
http://helpx.adobe.com/flash-player/kb/administration-configure-auto-update-notification.html#main_Administrator_configuration_of_auto_update_notification_and_background_update_process

Comments

Please Feel free to comment, ask questions or point out inaccuracies in the information. Through your assistance, I can try to make this post as helpful as possible.