Video Screencast Help

Guide for Assigning Symantec Workspace Agents to a Specific Group / Organizational Unit via Group Policy (GPO)

Created: 03 Aug 2010 • Updated: 07 Aug 2012 | 4 comments
Language Translations
Christyt's picture
+10 10 Votes
Login to vote

Active Directory contains a very useful feature which allows for Administrators to automatically deploy software to machines or users automatically when the machine is booted or a user logs on. This document assumes you will be deploying software to a set of machines in which the user does not have local admin rights, so it will focus on the process to deploy to the computers via the Computer Configuration GPO setting.
 

Before proceeding, there are a few items you should be aware of:

  • Software to be automatically installed must be in the form of an .MSI package, configured with minimal or no user interaction
  • Installation runs as the local computer domain account (NT Authority\System). Authentication to the share location containing the .MSI package uses the local machines Kerberos cache.
  • Package Deployment configured under the Computer Configuration Group Policies are only pushed to Computers within the assigned Organizational Unit (OU) tree
  • Package Deployment configured under the User Configuration Group Policies are only pushed to Users within the assigned Organizational Unit (OU) tree
  • The share containing the .MSI package must allow Domain Computers at least READ access. Authenticated Users group is also sufficient.
  • The Group Policy Object must allow for Read and Apply Group Policy rights for Domain Computers. Authenticated Users group is also sufficient.
  • To allow for multiple administrators to change or redeploy a package, the Group Policy must contain these additional administrator groups with the appropriate read/write/modify rights.
  • Packages are only deployed upon the initial boot of a computer, or during the logon of a user, depending on how the Package Object is defined. Packages will NOT be deployed during the normal Security Settings refresh interval.
  • Once a Package is successfully deployed, it will NOT be redeployed unless it is manually redeployed or versioning is enabled.

Please Note: Symantec Workspace Agents with .exe package type will NOT be deployed through GPO. The package format should be .msi.

Purpose

The purpose of this document is to identify and record the procedures that need to be followed when deploying Symantec™ Workspace Agents using Active Directory Group Policy.

Create a Distribution Point

To publish or assign a computer program, you must create a distribution point on the publishing server:

  1. Log on to the server computer as an administrator.
  2. Create a shared network folder where you will put the Microsoft Windows Installer package (.msi file) that you want to distribute.
  3. Set permissions on the share to allow access to the distribution package.
  4. Copy or install the package to the distribution point.

    For Example: Here Client is a shared folder with 6.2.0.580 client binaries.

Create a Group Policy Object for a specific group

To create a Group Policy object (GPO) to use to distribute the software package:

  1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, right-click your domain, and then click Properties.
  3. Click the Group Policy tab, and then click New.
  4. Type a name for this new policy (for example, Software Deployment), and then press ENTER.

  5. Click Properties, and then click the Security tab.
  6. Click to clear the Apply Group Policy check box for the security groups that you want to prevent from having this policy applied.
  7. Click to select the Apply Group Policy check box for the groups that you want this policy to apply to.

    For Example: A DEMO GROUP has been created which we be the target group for deployment. Demo Group is having a user test1 and computer smsxpclient.

  8. When you are finished, click OK.

Assign a Package

To assign a program to computers that are running Windows Server 2003, Windows 2000, or Microsoft Windows XP Professional, or to users who are logging on to one of these workstations:

  1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, right-click your domain, and then click Properties.
  3. Click the Group Policy tab, select the group policy object that has been created (Software Deployment), and then click Edit.

  4. Under Computer Configuration, expand Software Settings.
  5. Right-click Software installation, point to New, and then click Package.
  6. In the Open dialog box, type the full Universal Naming Convention (UNC) path of the shared installer package that you want. For example, \\file server\share\file name.msi. i.e \\192.168.0.1\Client\ Symantec Workspace Streaming Agent.msi

    Important Do not use the Browse button to access the location. Make sure that you use the UNC path to the shared installer package.

  7. Click Open.
  8. Click Assigned, and then click OK. The package is listed in the right pane of the Group Policy window.
  9. Close the Group Policy snap-in, click OK, and then quit the Active Directory Users and Computers snap-in.
  10. When the client computer starts, the managed software package is automatically installed.

Publish a Package(Optional)

To publish a package to computer users and make it available for installation from the Add or Remove Programs tool in Control Panel:

  1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, right-click your domain, and then click Properties.
  3. Click the Group Policy tab, click the group policy object that you want, and then click Edit.
  4. Under User Configuration, expand Software Settings.
  5. Right-click Software installation, point to New, and then click Package.
  6. In the Open dialog box, type the full UNC path of the shared installer package that you want. For example, \\file server\share\file name.msi.

    Important Do not use the Browse button to access the location. Make sure that you use the UNC path to the shared installer package.

  7. Click Open.
  8. Click Publish, and then click OK.
  9. The package is listed in the right pane of the Group Policy window.
  10. Close the Group Policy snap-in, click OK, and then quit the Active Directory Users and Computers snap-in.
  11. Test the package:

    Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.

    1. Log on to a workstation that is running Windows 2000 Professional or Windows XP Professional by using an account that you published the package to.
    2. In Windows XP, click Start, and then click Control Panel.
    3. Double-click Add or Remove Programs, and then click Add New Programs.
    4. In the Add programs from your network list, click the program that you published, and then click Add. The program is installed.
    5. Click OK, and then click Close.

Redeploy a Package

In some cases you may want to redeploy a software package. For example, if you upgrade or modify the package. To redeploy a package:

  1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, right-click your domain, and then click Properties.
  3. Click the Group Policy tab, click the Group Policy object that you used to deploy the package, and then click Edit.
  4. Expand the Software Settings container that contains the software installation item that you used to deploy the package.
  5. Click the software installation container that contains the package.
  6. In the right pane of the Group Policy window, right-click the program, point to All Tasks, and then click Redeploy application. You will receive the following message:

    Redeploying this application will reinstall the application everywhere it is already installed. Do you want to continue?

  7. Click Yes.
  8. Quit the Group Policy snap-in, click OK, and then quit the Active Directory Users and Computers snap-in.

Remove a Package

To remove a published or assigned package:

  1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, right-click your domain, and then click Properties.
  3. Click the Group Policy tab, click the Group Policy object that you used to deploy the package, and then click Edit.
  4. Expand the Software Settings container that contains the software installation item that you used to deploy the package.
  5. Click the software installation container that contains the package.
  6. In the right pane of the Group Policy window, right-click the program, point to All Tasks, and then click Remove.
  7. Do one of the following:
    • Click Immediately uninstall the software from users and computers, and then click OK.
    • Click Allow users to continue to use the software but prevent new installations, and then click OK.
  8. Quit the Group Policy snap-in, click OK, and then quit the Active Directory Users and Computers snap-in.

Troubleshoot

Published Packages Are Displayed on a Client Computer After You Use a Group Policy to Remove Them - This situation can occur when a user has installed the program but has not used it. When the user first starts the published program, the installation is finalized. Group Policy then removes the program.

NOTES:

Applications can be pushed on user basis OR to an OU also.

  • For User Assignment: Under User Configuration, expand Software Settings. Right-click Software installation, point to New, and then click Package.

    Rest all the steps are same as that of mentioned in Section 5. Assign a Package. Appropriate target user groups have to be selected in Section 4.

  • Deployment for an OU.

    Create an OU and add users, groups and computers to it. Now right-click Properties - Group Policy - New. Now follow the steps mentioned in Section 3. Create a Group Policy Object for a specific group and Section 4. Assign a Package

The same steps can be followed for the deployment of Symantec Workspace Virtualization Agent.

References:

http://support.microsoft.com/default.aspx/kb/816102
http://support.microsoft.com/kb/302430/