Access Keys:
Skip to content (Access Key - 0)

MSI Group Policy Settings

Please note: Neither OEIT nor IS&T provide custom MSI development or integration services, but the information on these pages may still be of value in some cases.

The group policy information on this page is related to settings which we have found useful in the management of our windows machines.

On this page:

Managing Software

The GP Setting to manage software is:
Computer Configuration\Software Settings\Software installation

To deploy an MSI (install a software package):

  1. Select the software installation group policy and right-click on the software listing pane.
  2. Select New and then Package

Now you can select the MSI file you want to deploy. Afterwards you are asked to select a deployment method:

  • Assigned: preferred for all applications unless they are upgrading an existing package and/or have an associated transform file.
  • Advanced Published or Assigned: for upgrades and/or MSI's with transforms

If you select Assigned, there will be a relatively quick verification of the MSI and then it will show up in the list.

If you select Advanced Published or Assigned, you will see a followup screen where you can set a number of options; the only two most people are concerned with are the "Upgrades" tab and the "Modifications" tab.

  • Upgrades: You simply select Add and choose which application this package is going to upgrade. Generally it is best to choose the "uninstall the existing package, then install the upgrade package" option (default).
  • Modifications: You simply select Add and choose the associated *.MST file, which is the transform that is associated with the MSI that you are adding. It is important that you do not press OK until all the transforms that you want to apply have been added; you cannot go back and add more.

Click OK and you will see the software package listed in the software pane. At the next reboot this package will be installed on all of the machines in your container.

To remove an MSI:

  1. Select Software installation and right-click on the software package that you are interested in removing.
  2. Select All Tasks and then Remove. When prompted for the removal method select Immediately uninstall the software from users and computers (default).

Click OK and you will see that the software package is removed from the listing. At the next reboot this package will be removed from all of the machines in your containers.

System Startup/Shutdown Scripts

The GP Settings for Startup/Shutdown scripts are:
Computer Configuration\Windows Settings\Scripts (Startup/Shutdown)\Startup

Computer Configuration\Windows Settings\Scripts (Startup/Shutdown)\Shutdown

Here you simply right click on either Startup or Shutdown and add the script that you want to run. The scripts here are run as the user "SYSTEM" so it should have whatever access it needs to run the script correctly. The scripts themselves can be batch files or perl scripts.

User Logon Scripts

The GP Setting for User Logon scripts is:
Computer Configuration\Administrative Templates\System\Run these programs at user logon

To insert a script for user logon you need to right-click on the GP setting and select Properties. Enable the group policy option, if it isn't already, and then select "Show" to receive a list of scripts that will run when is user is logging on.

The scripts here are run with the permissions of the user logging on so they cannot be used to modify files or do system tasks that a regular user does not have permissions to do. The scripts themselves can be batch files or perl scripts.

User Logoff Scripts

Within the design of our domain, running user logoff scripts was not possible as the place where this is listed in Group Policy (under User Configuration) is not utilized. The WinAthena team has created a GP extension which now allows you to run user logoff scripts.

The GP Setting for User Logoff scripts is:
Computer Configuration\Administrative Templates\WinAthena Settings\Logoff Scripts\Run these programs at user logoff

To insert a script for user logoff:

  1. Right-click on the GP setting and select Properties.
  2. Enable the group policy option, if it isn't already, and then select Show to receive a list of scripts that will run when is user is logging on.

The scripts here are run with the permissions of the user logging off so they cannot be used to modify files or do system tasks that a regular user does not have permissions to do. The scripts themselves can be batch files or perl scripts.

Disallowing System Shutdown

There are two group policy settings related to controlling the shutdown of the system. They are:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Allow system to be shut down without having to log on (set to disable)

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignments\Shut down the system (here you should have at least these three accounts: Administrator, SYSTEM and WIN\Domain Admins)

Setting the Administrator Password

The GP Setting to control the root password is:

Computer Configuration\Administrative Templates\WinAthena Settings\Root Password\Force a well-known Root (Administrator) Password

The documentation for this feature is here.

Setting Up Printers

The documentation related to printing is in this document.
If you are planning on utilizing a duplex printer you will need this information from our scripts page.

Disabling Off-line Files

We have found through experience that disabling Windows off-line files feature in its entirety eliminates a host of potential problems. For example, when this was on people could set to synchronize all of AFS. Since there is no good reason in our environment to use this feature we recommend shutting it off. There is a chance that laptops that may operate in a disconnected state could utilize this feature. However, more testing needs to be done.

The GP Setting to disable Off-line files is:
Computer Configuration\Administrative Templates\Network\Offline Files\Enabled (set to disabled)

Delete cached copies of roaming profiles

The GP Setting to enable the deletion of cached profiles is:
Computer Configuration\Administrative Templates\System\User Profiles\Enabled (set to enabled)

Log users off when roaming profile fails

We enable this option in most of our installations. Since much of the software and preferences are on the network, a failure to load a roaming profile usually means the machine has lost contact with the network. By forcing the users to log off when this happens we save them from experiencing a session where programs may not run correctly and they may lose their data. In our experience, rebooting the machine almost always fixes the inability to obtain the users roaming profile.

The GP Setting to enable logging off users when profiles cannot be loaded is:
Computer Configuration\Administrative Templates\System\User Profiles\Enabled (set to enabled)

Community

Documentation and information provided by the MIT Community


Last Modified:

December 28, 2015

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
msi msi Delete
c-msi c-msi Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use

This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki