Installing Software Using Group Policy

When choosing to distribute an application via group policy, the application must be in a packaged format, an .msi file. Many new applications now ship with an msi file already included. An msi file includes instructions on how an application is to be installed, along with all system modifications it will make. If you wish to distribute an application that is not in .msi format, you can create your own msi by using WinInstall LE, a repackaging application included on the Windows 2000 CD. Essentially you use it totake a ‘before’ snapshot of the system configuration, then install the software, after which you take an ‘after’ snapshot. The differences are recorded, and the necessary files and .msi file are stored to whatever directory you have specified. This directory should be shared, and then chosen as the location of the application you wish to distribute via group policy. When software is distributed via group policy, the user does not need any special privileges (such as being an administrator) to install the software. Instead, the software is installed using the elevated privileges of group policy. Another benefit of software distributed using an msi file is its resilience – if the software becomes damaged in any way, it will go back to its source files and automatically fix itself the next time you try to run it (assuming the source files are still available, of course).

If an msi file does not exist or cannot be created, it is still possible to publish the software to a user using something called a .zap file. Basically this is a text file containing the instructions necessary to install the software.The downside of this method is that the installation of the software requires that the user have an appropriate level of access to install software on the system – it will not install under the elevated privileges of group policy. Note that a .zap file is only used for publishing, and only to users (since you can’t publish software to a computer, remember!).

The path to the package should be provided in a manner that will allow network clients to connect, for example the UNC path to the .msi file location.

An important note with respect to distributing software via group policy – be careful with respect to how you apply policy for the purpose of software distribution. If the above example were assigning software to all users in a domain, every installation would obtain the package from the same server, even those in other physical sites. A better practice is to design for theassignment and publishing of software such that a local package is used and unnecessary WAN traffic is avoided.

You can also control what happens to software once a package is removed from group policy.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.