Group Policy Software Installation overview
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Group Policy Software Installation overview
With Group Policy Software Installation, a software management feature, you can manage software throughout its life cycle within the organization. Group Policy Software Installation works in conjunction with Group Policy and Active Directory. It is one of three Group Policy Software Installation and Maintenance components, which are described in the following table.
| Component | Role |
|---|---|
Group Policy Software Installation (an extension of Group Policy Object Editor) |
Used by administrators to manage software |
Windows Installer |
Installs software that is packaged in Windows Installer files |
Add or Remove Programs in Control Panel |
Used by users to manage software on their own computers. For more information, see Add or Remove Programs in Control Panel. |
Group Policy Software Installation helps you specify how applications are installed and maintained within your organization. With Group Policy Software Installation, you can manage an application within a Group Policy object, which is in turn associated with a particular Active Directory container--either a site, a domain, or an organizational unit. Applications can be managed in one of two modes: assigned or published.
For tips about using Group Policy Software Installation, see Best practices for Group Policy Software Installation. To begin using Group Policy Software Installation right away, see Open Group Policy Software Installation. For more information, see Group Policy Software Installation.
Assigning to users
When you assign an application to a user, the application is advertised to the user the next time the user logs on to a workstation. The application advertisement follows the user, regardless of which physical computer he or she actually uses. The application is installed the first time that the user activates the application on the computer, either by selecting the application on the Start menu or by activating a document that is associated with the application. For more information, see Assign an application.
You assign an application when you want everyone to have the application on his or her computer. For example, suppose that you want all users in a marketing department to have Microsoft Excel on their computers. A Group Policy object manages every user in marketing. When you assign Excel within the marketing Group Policy object, Excel is advertised on every marketing user's computer. When an assigned application is advertised, it is not actually installed on the computer. In this case, the application advertisement installs only enough information about Excel to make the Excel shortcuts appear on the Start menu and to make the necessary file associations (.xls) appear in the registry.
When these users log on to their computers, Excel appears on their Start menu. When they select Excel on the Start menu for the first time, Excel installs. A user can also install an advertised application by opening a document that is associated with the application, either by file name extension or by COM-based activation. If a user who has not yet activated Excel from the Start menu clicks an Excel spreadsheet to open it, Excel installs and the spreadsheet opens.
A user can delete an assigned application, but the assigned application is advertised again the next time the user logs on. It installs the next time a user selects it on the Start menu.
Assigning to computers
When you assign an application to the computer, the application is advertised and the installation is performed when it is safe to do so. Typically, this happens when the computer starts up, so that there are no competing processes on the computer. For more information, see Assign an application.
Publishing to users
When you publish an application to users, the application does not appear as installed on the users' computers. No shortcuts are visible on the desktop or on the Start menu, and no changes are made to the local registry on the users' computers. Instead, published applications store their advertisement attributes in Active Directory. Information, such as the application's name and file associations, is exposed to the users in the Active Directory container. The application is then available for the user to install by using Add or Remove Programs in Control Panel or by clicking a file that is associated with the application, such as an .xls file for Microsoft Excel. For more information, see Publish an application and Add or Remove Programs in Control Panel.
You publish an application when you want the application to be available to people who are managed by the Group Policy object, in case a user wants the application. With published applications, it is up to each person to decide whether or not to install the published application.
For example, if you publish Microsoft Image Composer to users who are managed by the marketing Group Policy object, and a marketing user wants to install Image Composer, the user can go to Add or Remove Programs in Control Panel and install the application. If users do not install Image Composer by using Add or Remove Programs, and if the .jpg file name extension for the image document is associated with Image Composer, Image Composer can be installed for users when they first open any .jpg document.
Application assignment scripts
Application assignment scripts are one of the file types that are often encountered in Group Policy Software Installation. For every published or assigned application in a particular Group Policy object, an application assignment script (.aas file) is generated and stored in that domain's Group Policy object. These script files contain the advertisement information about the application configuration. For more information, see File types that you use with Group Policy Software Installation.
The user's view of software installation
At the user's computer, system components--including Winlogon, the shell, object linking and embedding (OLE), the Lightweight Directory Access Protocol (LDAP) client, and the local registry--provide the user's view of software installation. Winlogon is the privileged agent that applies software installation policy. The shell and the OLE are enhanced to be Active Directory-aware and to communicate with Windows Installer to perform setup actions. The LDAP client provides the capability to search and query Active Directory.
By using Add or Remove Programs, users can browse for and install software from Active Directory in a managed environment or from local media (in a nonmanaged environment or, if policy permits, from local media in a managed environment).