Video Screencast Help
Security Community Blog

Installing Symantec through Active Directory Group Policy

Created: 20 Apr 2009 • 6 comments
binayak's picture
+1 3 Votes
Login to vote

Copy the contents of the following folder

C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Inetpub\ClientPackages\<your own group id here>\full

to a network share ex. \\someserver\sep that every user has read/execute access to

Then create a Group Policy Object to run the following script (.bat file) at login/startup (this can also be used with landesk and psexec):

  1. IF EXIST "c:\Program Files\Symantec\Symantec Endpoint Protection" GOTO END
  2. NET USE Z: \\someserver\sep /PERSISTENT:NO
  3. z:\setup.exe /s /v"/qn"
  5. :END

Comments 6 CommentsJump to latest comment

Symantec World's picture

Thanks Binayak Really I needed this.

Regards, M.R

Login to vote
Nel Ramos's picture

We shal test this. Give you feedback after. Thanks.

Nel Ramos

Login to vote's picture

have you tested it; awaiting your reply and observation

Login to vote
BaezH's picture

I would like to try something like this on KIX, or find a way you can check if the OS is not a server. I was logged on and only applied this script to a group I put myself into.

I tested on a computer that did not have SEP and it worked fine. During the time I was testing this, I got a phone call to check an issue, I logged on to a server, remotely, and even though SEP is installed (on the D drive) it launched the installation I setup for the C drive on that server.

I guess I could have added an extra line to check for this location too:

IF EXIST "D:\Program Files\Symantec\Symantec Endpoint Protection" GOTO END

All our servers get the Programs installedo on the D Drive, so that needs to change from
IF EXIST "C:\Program Files\Symantec\Symantec Endpoint Protection" GOTO END

Since the IF-THEN-ELSE statement is only looking for the default path of SEP (for clean installs only), another statement needs to be added to check for SEP on a location that the good old Symantec Antivirus was installed too. This is because if you performed an upgrade from (let's say SAV 10.x.x.x), then the path would be like:

IF EXIST "C:\Program Files\Symantec Antivirus" GOTO END 

Wouldn't it be better to check for a registry value, running process, or a combination of both? If checking for a registry value and the installation started but did not complete you might have the key there and it would be skipped. 

Any thoughts??

I have an environment where help desk personnel are lacking a check list and not installing the security software after they re-image a computer or bring a new one online.

Any help will be greatly appreciated.

Login to vote's picture

you can use "SMS" server;

you can deploy packages through advertisements and even get reports for all completed workstation

deployment can be scheduled at any time;

moreover SMS is integrated with AD.

Login to vote
haroldvm89's picture

I like this script. I'll test whenever i can. Thanks

Login to vote