Skip to Content

How to Create GPO to Deploy Software in AD Environment?

By: Author Alex Lim

Posted on  - Last updated:

Categories Windows

If you use Microsoft Active Directory in your environment, you can use a GPO to deploy the software package to Windows computers. You create a software distribution then configure a GPO administrative template for the software packages.

[Solution] Create GPO to Deploy Software in AD Environment

This process assumes that you have installed Microsoft’s Group Policy Management Console with Service Pack 1 or later. The Windows interface may be slightly different depending on the version of Windows you use.

This process also assumes that you have computers in the Computers group or some other group to which you want to install client software. Optionally, you can drag these computers into a new group that you create.

To create a GPO software distribution

  1. On the Windows Taskbar, click Start > All Programs > Administrative Tools > Group Policy Management.
  2. In the Active Directory Users and Computers window, in the console tree, right-click the domain, and then click Active Directory Users and Computers.
  3. In the Active Directory Users and Computers window, select a target organizational unit (OU) under the appropriate domain. You can also create a new OU for testing or other purposes. See Active Directory documentation by Microsoft for more information on how to create a new OU.
  4. In the Group Policy Management window, in the console tree, right-click the organizational unit that you chose or created, and then click Create and Link a GPO Here. You may need to refresh the domain to see a new OU.
  5. In the New GPO dialog box, in the Name box, type a name for your GPO, and then click OK.
  6. In the right pane, right-click the GPO that you created, and then click Edit.
  7. In the Group Policy Object Editor window, in the left pane, under Computer Configuration, expand Software Settings.
  8. Right-click Software installation, and then click New > Package.
  9. In the Open dialog box, type the Universal Naming Convention (UNC) path that points to and contains the MSI package. Use the format as shown in the following example: \\server name\SharedDir\Sep.msi
  10. Click Open.
  11. In the Deploy Software dialog box, click Assigned, and then click OK. The package appears in the right pane of the Group Policy Object Editor window if you select Software Installation.

To configure administrative templates for the software package

  1. In the Group Policy Object Editor window, in the console tree, display and enable the following settings:
    • Computer Configuration > Administrative Templates > System > Logon > Always wait for the network at computer startup and logon
    • Computer Configuration > Administrative Templates > System > Group Policy > Software Installation policy processing
    • User Configuration > Administrative Templates > Windows Components > Windows Installer > Always install with elevated privileges
    • Note: If you enabled User Account Control (UAC) on the client computers, you must also enable Computer Configuration > Administrative Templates > Windows Components > Windows Installer > Always install with elevated privileges to install software with a GPO. You set these options to allow all Windows users to install Symantec client software.
  2. Close the Group Policy Object Editor window.
  3. In the Group Policy Management window, in the left pane, right-click the GPO that you edited, and then click Enforced.
  4. In the right pane, under Security Filtering, click Add.
  5. In the dialog box, under Enter the object name to select, type Domain Computers, and then click OK.