Just another example of peanut butter and pepper on toast.

Our domain is very open with giving users freedom to work as needed – we don’t have many policies to restrict them.

But the policies we do have we enforce where-ever we can. One of the important ones is desktop Antivirus and Configuration management, but I’ve been using this technique to deploy Salt-Minion to servers as well.

GPO Policy Preference

This is also doable via logon scripts and remote deployment. I wanted a fast, reliable, easy to understand, and continually applying policy.

Preference: Install the program if it isn’t installed

This sounds pretty basic, and it is. And it relies on all the good tricks of preferences.

  1. Create a well named GPO, like C_AutoDeployRequiredPrograms
  2. Navigate to and create a Computer > Preference > Control Panel > Scheduled Task > Immediate Task (Win7+), again with an appropriate name such as ‘Install AV if not present’.
  3. Search for the User Account to be ‘System’ – this resolves as ‘NT AUTHORITY\SYSTEM’ on a domain. Set this to ‘Run whether user is logged on or not’ and tick to ‘not store password’.
  4. Create an action that will install the program silently. We use a DFS share that is present at each site, or the NETLOGON share, to make sure this is as fast and reliable as possible.
  5. Configure the Common tab Item-Level targeting, and create an item for “file”, with the item option “is not” to make a “file x does not exist”. We set this to be a key file that is required, such as “C:\Program Files\Microsoft Security Client\MsMpEng.exe” for Endpoint Protection, or “C:\salt\conf\minion_id” for our Salt deployments.

I use “System” for some of our daily and weekly maintenance tasks too, such as unmounting ISOs not on CSVs, or triggering cleanups of file systems.

Preference: Service must always be running

Again we want to ensure once the program is installed that it is always running. For Salt and WSUS, we don’t want users to suppress the service.

  1. Use the same well named GPO.
  2. Navigate to and create a Computer > Preference > Control Panel > Services
  3. Set the service name, startup, and action. For Salt, we use ‘salt-minion’/ Automatic/ Start Service, while for Win8 WSUS it should be manual with ‘no change’ as it starts on its own when needed.
  4. Again, consider changing the Item Level Targeting if needed. If you try to alter a service that doesn’t exist, it will log this in the event log.

Preference: Files and Shortcuts must exist

Now this is a little more general, and still hasn’t really replaced Robocopy mirroring a folder at startup. While this can run as both Computer and User accounts, many of the template folders we have are company-wide.

  1. Use a well named GPO like C_FileDeployment.
  2. Navigate to and create a Computer > Preference > Windows > Files
  3. Select a source and destination – such as \\Contoso.com\dfs\SharedLogonFiles\Templates\ to C:\ProgramData\Contoso\Templates\
  4. A trailing slash will pickup the whole folder, and wild cards work well too. You can’t use combination “Delete” and “Update” actions to mirror a folder, unfortunately.
  5. Use Item Level Targeting to target more specific machines based on wildcards in their computername, or security groups they are members of already.

I also use this kind of preference to setup well known Start Menu icons that are easy to  find.

  1. Use a well named GPO like U_StartmenuIcons
  2. Navigate to and create a User > Preference > Windows > Files
  3. Select a source and destination – such as \\Contoso.com\dfs\SharedLogonFiles\AppIcon.dll to C:\ProgramData\Contoso\AppIcon.dll
  4. Navigate to and create a User> Preference > Windows > Shortcuts
  5. Select to either place a URL or a File System object, like http://www.contoso.com or C:\ProgramData\Contoso\CustomApp.exe
  6. Name the target using F3 in the field for extra options like the Start Menu ‘Programs’ area – %ProgramsDir%\Contoso\CustomApp,
  7. Select an icon path either to a general library, or one that you copy over by File preference.
  8. Use Item Level Targeting to target users based on Site and Group membership. This is really powerful, as you can put all the file, folder, shortcut, mapped drives, etc, policies into one master GPO to maintain consistancy of naming while keeping intent intact.
  9. Use “remove item when it is no longer applied” to remove shortcuts as users move around. Or “apply only once” for desktop shortcut icons to kickstart new users, but allowing them to clear them away later.
gpo

Leave a Reply