Managing Desktop Applications

When managing desktops is the task at hand, finding a way to deploy the operating system and keep it up to date is just part of the necessary administration. Another equally important aspect of desktop management is managing the applications installed on the client workstations.

There are three main aspects of desktop application management: installing or deploying the application, configuring it, and updating it. Windows Server 2003 provides a few different ways to perform these tasks, and the IT staff can use the tools and services available on the Windows XP desktops and the software installation services offered in Group Policy to perform application management tasks on a per-workstation basis, or the tasks can be scaled up to manage the applications for a particular group of users or computers. The following list describes how Windows XP and Active Directory can be used to manage applications:

Application installation Applications can be installed on desktops using the software installation services provided in Active Directory Group Policy. Other methods include deploying the application using computer startup/shutdown scripts or user logon/logoff scripts. Lastly, applications can be installed manually either by visiting the workstation and using the local console or using remote control software such as Remote Desktop on Windows XP and Windows Server 2003 systems.
Application configuration Depending on the application that needs to be managed, Group Policy templates can be used to configure it. Most built-in Windows services and applications can be configured using Group Policy. For the rest of the application, per-system or even per-user configuration can be set using Group Policy to deploy new Registry keys or update existing Registry key values to provide the configuration. Also, user login scripts can be used to configure application settings.
Application updating Application updates can be installed using Group Policy or can be installed manually. Many software vendors provide several ways to deploy application updates using the tools available in Windows and Active Directory or using custom application management utilities. Refer to the release notes and readme files of your particular application to determine how it can be managed.

Managing Applications Using Group Policy

You can manage applications rather easily using Group Policy if you use the right tools. Applications can be deployed using the software installation services function of an Active Directory Group Policy. Applications can also be deployed from a command prompt using a computer or user-based script.

Group Policy Software Installation

Deploying applications using the software installation services of Group Policy requires that the applications are packaged using a Windows Installer Package file (*.MSI). When you're deploying applications to users, the package can be assigned to a user or the pack can be published. When you're deploying applications to computers, the application can only be assigned, not published.

Assigned applications are installed automatically when the policy is applied to the computer or user. For users, published applications are listed in the Control Panel's Add/Remove Programs applet. If an application is published to a user, she need only open the Add/Remove Programs applet and double-click the application for it to be automatically installed. Depending on how the administrator configures the application when defining the application deployment properties in Group Policy, the application can be deployed using elevated privileges and can be customized using Transform files, which are used to specify installation criteria normally answered during a manual installation.

The next example is creating a software installation package to publish the Windows 2003 Administration pack to all users in the Help Desk Security group in the domain. To do so, follow these steps:

1.	Log on to a server with the Windows Server 2003 Administrative tools installed. Log in with an account that has the rights to upload files to a specific share folder and also has the rights to update the necessary Group Policy Object.

2.	Insert the Windows Server 2003 media and browse the media until you locate the AdminPak.MSI file in the I386 directory.
3.	Copy the Adminpak.MSI file to the network share location from where the installation will be pushed down. For this example, use \\Server7\software.
4.	Choose Start, All Programs, Administrative Tools, Active Directory Users and Computers. If you cannot locate the correct console, open MMC.exe from the Start menu's Run prompt and add the snap-in as necessary.
5.	Select the domain, right-click it, and select Properties.
6.	Select the Group Policy tab and then select the correct policy from the list. Because the domain policy does not apply to the Administrators group, best practice is to create a separate policy for settings that will apply to administrators who have other group memberships.
7.	Click the Properties button to open the Group Policy property pages.
8.	Select the Security tab and click Add. Type in the name of the Help Desk group and click OK.
9.	Select the Help Desk group from the security list and click the Allow button for the Apply Policy permission.
10.	Click OK to update the policy security.
11.	Back in the domain's Group Policy property page, select the policy and click the Edit button to open it.
12.	In the policy, expand the Computer Configuration section and select Software Settings.
13.	Expand Software Settings, right-click the Software Installation icon, and select New Package.
14.	Browse to the location of the MSI file, select it, and click Open.

15.	Because this package is being applied to Computer Configuration, select either the Assigned or Advanced option, as shown in Figure 28.4. If you choose the Assigned option, you can modify the Advanced properties later by selecting the package and changing settings on the package's property pages. Figure 28.4. Selecting the software package deployment options.

Using Third-Party Application Packaging Software

For you to be able to use Group Policy software installation services, the application must be available for installation in a Windows Installer Package file. Many software vendors provide an installer file with the software, but for legacy applications the administrator must create the package file. Several third-party application packaging products are available. To find a list of packaging software, perform an Internet search and look for "MSI packager" or "Windows installer packager."

Manually Installing Applications

When legacy applications cannot be packaged or when a particular application just needs to be installed on a handful of workstations, it may make the most sense to deploy these applications manually. Windows Server 2003 and Windows XP provide several ways for this task to be accomplished. As always, the administrator can install the application from the local system console, but that, of course, requires a visit to the workstation. To access the local console remotely to install applications, the administrator could use Remote Desktop to perform the operation individually or Remote Assistance if the connection is authorized by the end user.

Remote Installation Using Remote Desktop

To install applications remotely using Remote Desktop, the administrator needs to have Administrator group membership on the system. When the connection is made to an XP workstation, the logged-on user is logged out, so this option should be used only if the end user is notified beforehand so that he can save his data. To connect to an XP workstation using Remote Desktop, you simply open the remote desktop connection from the All Programs, Accessories, Communication menu, type in the fully qualified system name of the computer, and click Connect.

Remote Installation Using Remote Assistance

Using Remote Assistance, an administrator can aid an end user who needs to install software on her workstation but does not have the necessary rights. For example, the end user may need to install PDA software on her workstation. When this is the case, she can request remote assistance from the administrator. When the administrator connects, if the proper Remote Assistance settings are configured either in Group Policy or on the local workstation, he can take control of the console. The administrator can then open the Add/Remove Program applet from the Control Panel using the Run As option to specify an account with administrative privileges, which he can then use to install the software without requiring the user to log off.