Hans Joergen,
This is a good place to start! However, the Group Policy News Group might
be an even better place. I would suggest posting your question there if you
do not get any helpful answers.
I can gladly give you the big picture and then hopefully some links that
will fill in the pieces.
First of all you would need to have the .msi file in order to make use of
Group Policy. I would suggest that you stick with applications that are
natively made for this. Please note that there is a possibility to create
an .msi package with a piece of software that is located on the WIN2000
Server CD ( called WinInstall Lite ).
Let's use MS Office 2000 as the example.
1) create a folder on a Server called "MSOffice" - or whatever you like.
This will be your distribution point. Share it.
2) do an Administrative Installation of MS Office 2000 by using 'setup.exe
/a' and install it to that shared folder MSOffice. You will have to enter
the Product ID number just once - here. When installing to the users they
will not be asked for this!!!!
3) you need to place your users - or computers - in an Organizational Unit.
You can not deploy software via GPO to the default Users and default
Computers Containers.
4) you then need to right click that OU and select properties and go to the
Group Policy tab.
5) create the Group Policy....HINT: you need to tell AD where the .msi file
is by using the UNC ( Universal Naming Convention ) path. That would be in
the form of \\servername\MSOffice\data1.msi . If you use a mapped network
drive it will not work! Strongly consider using Advanced Assign or Advanced
Publish as this makes .mst files available. .MST files are the so-called
transforms file that allow you to customize your deployment.
There is the big picture.
Please note that you can either deploy this to user account objects or to
computer account objects. The difference is as follows: If you deploy this
to the user account objects then wherever your users log on they will get
this deployment of MS Office 2000 ( for the very last sentence for more on
this ) . It follows him or her, so to speak. If you deploy this to the
computer account object then whoever logs on to that computer will get this
deployment of Office 2000.
If you deploy this to your user account objects then you can either Assign
or Publish this GPO. Assigning this GPO means that it will be installed
without user interaction ( naturally, he or she needs to log on to the
computer! ). Publishing this GPO means that your users will need to go to
the Control Panel and then to Add/Remove Programs and manually start this.
If you deploy this to your computer account objects then you can only Assign
this GPO.
You can also deploy the Office 2000 Service Packs via GPO as well. You
would just need to update the administrative installation. You can do that
before you roll out this GPO so that your users are getting Office 2000 SP3
right from the start. With Office 2000 you can go straight from Office 2000
SR-1 to SP3. There is no need to first install SP1 and then install SP2 in
order to be able to install SP3. The lone requirement is that you do need
to first be at SR-1 level. With Office XP, for example, you need to have
the Enterprise version to be able to do an Administrative installation and
you do need to first install SP1 before you can install SP2. In both cases,
you are making use of .msp files.
I mentioned .mst files ( or transforms files ). This is available only if
you use the Advanced Assign or Advanced Publish. This allows you to
customize your Office 2000 installations. Say that you want your Finance
Department users to have Word, Excel, Outlook and Access while your Sales
Department users need Work, Excel, Outlook and PowerPoint and everyone else
simply needs Word, Excel and Outlook! Create three .mst files reflecting
this and have at it by creating three GPOs: one for the Finance OU (
requires you to create an OU with your 'Finance' user account objects in
that OU ) making use of the finance.mst; one for your Sales OU ( again, need
to create the OU and populate it with the proper user account objects )
making use of the sales.mst and one for everyone else making use of the
default.mst.
As far as uninstalling Office 2000 ( or whatever version you have ) I just
might consider this. Make use of the Office Removal Tool after manually
uninstalling. This will get rid of a bunch of files and registry entries
that are 'overlooked' by the uninstallation ( about 15MB or so ). However,
you do not necessarily need to do this. With 250 computers I might try to
automate this. It would take you about 12 hours Saturday and another 12
hours Sunday to manually do this.
You can not use security groups for GPOs. Some people may mistakenly tell
you that you can. This is not true. GPOs are deployed in the following
pecking order: local, Site, Domain, OU, sub-OU. That is final. Nowhere in
there are groups mentioned. However, you can make use of Security Groups to
filter who receives the GPO. By default, the Authenticated Users group is
given the Read and Apply Group Policy rights to the OU where the GPO is
linked ( let's just go with the example using OUs...it could be any of the
four listed above ).
I hope that you are able to follow this. There is a lot of information to
digest. I hope that I was clear and concise!
Here are some links that might be of help to you:
How to get and apply the Administrative Office 2000 SR-1 patch
http://support.microsoft.com/default.aspx?scid=kb;en-us;257983
How to obtain and apply Administrative Office 2000 SP2
http://support.microsoft.com/default.aspx?scid=kb;EN-US;278272
How to obtain and apply Administrative Office 2000 SP3
http://support.microsoft.com/default.aspx?scid=kb;en-us;326585
How to apply patches ( going from Office 2000 SR-1 to Office 2000 SP3, for
example )
http://support.microsoft.com/default.aspx?scid=kb;[LN];226936
More information on updating Administrative Installations
http://support.microsoft.com/default.aspx?scid=kb;en-us;304165
How to remove Office 2000 CD1
http://support.microsoft.com/default.aspx?scid=kb;en-us;252566
VERY IMPORTANT!!!!!
http://support.microsoft.com/default.aspx?scid=kb;en-us;261469
When applying the 'patches' it is very important that you include the
SHORTFILENAMES=1 line - otherwise you will experience what is mentioned in
the above MSKB Article.
DNS is very important for GPOs. You client machines need to / MUST point
to your internal DNS Server and NOT to your ISP. This is a common problem.
Also, GPOs apply ONLY to WIN2000 Pro and WIN XP Pro clients. WINNT 4.0
Workstation and WIN9x clients are not able to understand GPOs - even with
the ADClient patch installed ( or DSClient patch ).
HTH,
Cary
