Installing clients with Active Directory Group Policy Object
|Article:TECH94023|||||Created: 2009-01-15|||||Updated: 2011-03-15|||||Article URL http://www.symantec.com/docs/TECH94023|
Installing clients with Active Directory Group Policy Object
You can install Symantec client software by using a Windows 2000/2003 Active Directory Group Policy Object. The easiest way to implement group policy is with Microsoft's Group Policy Management Console with Service Pack 1 or later. This software is freely available from Microsoft's Web site, and runs on Windows Server 2003.
The procedures for installing client software with Active Directory Group Policy Object assume that you have installed this software and use Windows 2003 Active Directory.
To install Symantec client software by using Active Directory Group Policy Object, you must do the following:
* Create the administrative install image
* Copy Sylink.xml to the installation files
* Stage the administrative install image
* Create a GPO software distribution
* Create a Windows Installer 3.1 startup script
* Add computers to the organizational unit
Before you install
The installation software requires that client computers contain and can run Windows Installer 3.1 or higher. By default, client computers meet this requirement if they run Windows XP with Service Pack 2 and higher, Windows Server 2003 with Service Pack 1 and higher, and Windows Vista. If client computers do not meet this requirement, all other installation methods automatically install Windows Installer 3.1 by bootstrapping it from the installation files.
Third-party installation options
For security reasons, Windows Group Policy Object does not permit bootstrapping to the executable file WindowsInstaller*.exe from the installation files. Therefore, before you install Symantec client software, you must run this file on the computers that do not contain and run Windows Installer 3.1. You can run this file with a computer startup script. Before you decide to use GPO as an installation method, you must develop an approach to update the client computers that do not contain and run Windows Installer 3.1.
The Symantec client installation uses standard Windows Installer .msi files. As a result, you can customize the client installation with .msi properties and the features.
Finally, confirm that your DNS server is set up correctly. The correct setup is very important because Active Directory relies heavily on your DNS server for computer communication. To test the setup, ping the Windows Active Directory computer, and then ping in the opposite direction. Use the fully qualified domain name. The use of the computer name alone does not call for a new DNS lookup. Use the
You should also test GPO installation with a small number of computers before the production deployment. If DNS is not configured properly, GPO installations can take an hour or more.
Creating the administrative installation image
Group Policy Object installations that use Windows Installer 3.0 and lower require administrative images of the client installation files. This image is not a requirement for 3.1 and higher installations and is optional. If you do not create the administrative image, you must still copy the contents of the SEP folder on the CD to your computer.
To create the administrative installation image
1 Copy the contents of SEP folder on the CD to your computer.
2 From a command prompt, navigate to the SEP folder and type msiexec /a "Symantec AntiVirus.msi"
3 In the Welcome panel, click Next.
4 In the Network Location panel, enter the location where you want to create the administrative install image, and then click Install.
5 Click Finish.
To copy Sylink.xml to the installation files
1 If you have not done so, install a Symantec Endpoint Protection Manager.
2 Locate a Sylink.xml file in one of the outbox folders. By default, these folders are located at \\Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent\uid\. You may have to open and read the Sylink.xml files in the different uid files with a text editor to find the desired file.
3 If necessary, copy Sylink.xml to removable media.
4 Copy Sylink.xml by using one of the following:
* If you created an administrative installation file image, overwrite the Sylink.xml file in folder \\install_directory\Program Files\Symantec Endpoint Protection Manager\.
* If you did not create an administrative installation file image, copy the contents of the SEP folder on the CD to a destination folder on your computer. Then, copy the Sylink.xml file into that destination folder.
To stage the installation files
1 If necessary, copy the folder that contains the client installation files to a folder that is or will be shared.
2 Right-click the folder, and then click Sharing and Security.
3 In the Properties dialog box, on the Sharing tab, check Share this folder, and then click Permissions.
4 In the Permissions dialog box, under Group or user names, click Everyone, and then click Remove.
5 Click Add.
6 Under Enter the object names to select, type Authenticated Users, and then click Check Names.
7 Type Domain Computers, click Check Names, and then click OK.
8 In the Permissions dialog box, click Apply, and then click OK.
To create a GPO package
1 On the Windows Taskbar, click Start > Programs > Administrative Tools > Group Policy Management.
2 In the Active Directory Users and Computers window, in the console tree,right-click the domain, and then click Active Directory Users and Computers.
3 In the Active Directory Users and Computers window, right-click the Domain, and then click New > Organizational Unit.
4 In the New Object dialog box, in the Name box, type a name for your organizational unit, and then click OK.
5 In the Active Directory Users and Computers window, click File > Exit.
6 In the Group Policy Management window, in the console tree, right-click the organizational unit that you created, and then click Create and Link a GPO Here. You may need to refresh the domain to see your new organizational unit.
7 In the New GPO dialog box, in the Name box, type a name for your GPO, and then click OK.
8 In the right pane, right-click that GPO that you created, and then click Edit.
9 In the Group Policy Object Editor window, in the left pane, under the Computer Configuration, expand Software Settings.
10 Right-click Software installation, and then click New > Package.
11 In the Open dialog box, type the Universal Naming Convention (UNC) path that points to and contains the MSI package. Use the format as shown in the following example:
\\server name\SharedDir\Symantec AntiVirus.msi
12 Click Open.
13 In the Deploy Software dialog box, click Assigned, and then click OK. The package appears in the right pane of the Group Policy Object Editor window if you select Software Installation.
To configure templates for the package
1 In the Group Policy Object Editor window, in the console tree, display and enable the following settings:
* Under Configuration > Administrative Templates > Window Installer > Always install with elevated privileges
* Computer Configuration > Administrative Templates > System > Logon > Always wait for the network at computer startup and logon
* Computer Configuration > Administrative Templates > System > Group Policy > Software Installation policy processing
* User Configuration > Administrative Templates > Windows Components > Windows Installer > Always Install with elevated privileges
2 Close the Group Policy Object Editor window.
3 In the Group Policy Management window, in the left pane, right-click the GPO that you edited, and then click Enforced.
4 In the right pane, under Security Filtering, click Add.
5 In the dialog box, under Enter the object name to select, type Domain Computers, and then click OK.
Creating a Windows Installer 3.1 Startup script
You must install Windows Installer 3.1 on the computers that contain and run earlier versions of Windows Installer. You can display Windows Installer versions by running msiexec /? in a command prompt. Windows Installer 3.1 is required for the GPO installation package. How you install Windows Installer 3.1 on computers is up to you. Note: Restricted users cannot run Windows Installer 3.1, and restricted users with elevated privileges cannot run Windows Installer 3.1. Restricted users are set with the local security policy. One way to install Windows Installer 3.1 is with a GPO computer startup script. Startup scripts execute before the GPO .msi installation files when computers restart. If you use this approach, be aware that the startup script executes and reinstalls Windows Installer every time the computer is restarted. If you install it in silent mode, however, users experience a slight delay before they see the logon screen. Symantec client software is only installed once with a GPO.
To install Windows Installer 3.1
1 In the Group Policy Management Window, in the console tree, expand your organizational unit, right-click your package, and then click Edit.
2 In the Group Policy Object Editor window, in the console tree, expand Computer Configuration > Windows Settings, and then click Scripts (Startup/Shutdown).
3 In the right pane, double-click Startup.
4 In the Startup Properties dialog box, click Show Files.
5 In a new window, display the contents of your GPO installation file folder, and then copy WindowsInstaller-893803-x86.exe from that window and folder to the Startup window and folder.
6 Redisplay the Startup Properties dialog box, and then click Add.
7 In the Add a Script dialog box, click Browse.
8 In the Browse dialog box, select the Windows Installer executable file, and
then click Open.
9 In the Add a Script dialog box, in the Script Parameters box, type /quiet /norestart, and then click OK.
10 In the Startup Properties dialog box, click OK.
11 Exit the Group Policy Object Manager window.
Adding computers to the organizational unit and installation software
You are now ready to add computers to the organization unit. When the computers restart, the client software installation process begins. When users log on to the computers, the client software installation process completes. The group policy update, however, is not instantaneous, so it may take time for this policy to propagate. The procedure, however, contains the commands that you can run on the client computers to update the policy on demand. To add computers to the organizational unit and install software
1 On the Windows Taskbar, click Start > Programs > Administrative Tools > Active Directory Users and Computers.
2 In the Active Directory Users and Computers window, in the console tree, locate one or more computers to add to the organizational unit that you created for GPO installation. Computers first appear in the computers organizational unit.
3 Drag-and-drop the computers into the organization unit that you created for the installation.
4 Close the Active Directory Users and Computers window.
5 To quickly apply the changes to the client computers (for testing), open a command prompt on the client computers.
6 Type one of the following commands, and then press Enter.
* On the computers that run Windows 2000, type secedit /refreshpolicy machine_policy.
* On the computers that run Windows XP and later, type gpupdate.
7 Click OK.
Article URL http://www.symantec.com/docs/TECH94023