Category Archives: Group Policy

Group Policy Software Deployment OpenVPN

You will require:

OpenVPN Code signing certificate: http://anonit.blogspot.com.au/2016/03/extract-openvpn-driver-code-signing.html
OpenVPN MSI – instructions here:

Create the deployent share, and set permissions as appropriate: http://anonit.blogspot.com.au/2016/03/group-policy-software-deployment.html

Place the OpenVPN MSI into the deployment share.

Open GPMC.MSC


Expand the domain, and expand Group Policy Objects.  Right click and select New


Give the software deployment a name, and click OK


Right click the GPO and select Edit…


Expand Computer Configuration –> Policies –> Software Settings  Right click on
Software Installation and select New –> Package…


Navigate to the deployment share via UNC, select the MSI, and click Open.


Select Assigned and click OK.


The application is now assigned for install.


Navigate to Computer Configuration –> Windows Settings –> Security Settings –> 
Public Key Policies.  Right click Trusted Publisher and select Import…



Click Next



Click Browse


Navigate to the OpenVPN certificate and click Open


Click Next



Click Next


Click Finish


Click OK



The certificate is now ready to be pushed out via Group Policy.


Drag the Group Policy Object (EG: Install Open VPN Client) and release on the OU you wish to
deploy the software to.  (EG: Corp Computers).


The software will now be deployed to computer objects in that OU.

Group policy Software deployment permisisons

When deploying software deployment via group policy permissons must be set so that the computer account has read permission to the install files.

To check this, open Computer Management and open Shared Folders.

Right click the deployment share and select Properties



Domain computers at a minimum should have read.  In this example, I have Everyone as read.



Open Windows Explorer and navigate to the deployment folder.  Right click the deployment folder
and select Properties


On the Security tab, you can see i have added Domain Computers as Read & execute, list
folder contents, and Read.


This will allow the computer accounts to access the softwaredeployment share.

Adobe DC Customisation Wizard

A new version of Adobe Reader is out, with a new name.  No longer called Adobe Reader, it is called Acrobat Reader.  And the version is ‘DC’.

So head on over to Adobe’s website, download and install the Customisation wizard:

http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=5892&fileID=5928

Grab Acrobat Reader (without the mcafee / google bundle):

http://get.adobe.com/reader/enterprise/

Use your favourite program to extract the files from within the .exe file (WinRAR, 7zip, etc).

Once you have the .MSI file extracted, you can then open the customisation wizard, and open the .MSI using the customisation wizard.

Make any relevant changes you wish to the .MSI file.  EG: ‘Supress display of End User License Agreement (EULA)’, ‘Disable product updates’, ‘Disable Upsell’, etc.

You may also want to use the Registry section of the Customisation Wizard to makes changes, or use Group Policy, or alternate methods of setting the relevant keys:

Don’t show messages while viewing a document
HKLMSOFTWAREPoliciesAdobeAcrobat ReaderDCFeatureLockdowncIPM
bDontShowMsgWhenViewingDoc
Reg_DWORD
0

Show me messages when I launch Adobe Acrobat Reader DC
HKLMSOFTWAREPoliciesAdobeAcrobat ReaderDCFeatureLockdowncIPM
bShowMsgAtLaunch
Reg_DWORD
0

Show welcome dialog when opening file
HKLMSOFTWAREPoliciesAdobeAcrobat ReaderDCFeatureLockdowncWelcomeScreen
bShowWelcomeScreen
Reg_DWORD
0

HKLMSoftwarePoliciesAdobeAcrobat ReaderDCFeatureLockDown
bUsageMeasurement
Reg_DWORD
0

The ‘bDontShowMsgWhenViewingDoc’ as a value of ‘0’ to NOT display the message.  A value of 1 will display the message.  This is the reverse of what is expected given the name is DontShow.

Save the package in the customisation wizard, and install using the following command:
msiexec.exe /i AcroRead.msi TRANSFORMS=acroread.mst

The details for this post were found:

http://anonit.blogspot.com.au/2010/09/adobe-reader.html

http://www.adobe.com/devnet-docs/acrobatetk/tools/PrefRef/Windows/AVGeneral.html?zoom_highlight=welcome#idkeyname_1_4934 (Some information in this is now incorrect, see the forum post below!)

https://forums.adobe.com/thread/1812870

Create a Group Policy WMI filter to determine 64 bit or 32 bit Operating System

I needed to create a WMI filter for Group Policy that would separate 64 bit and 32 bit Operating Systems.

Source: http://community.spiceworks.com/how_to/show/1432-using-wmi-filters-to-apply-group-policy-to-a-target-operating-system

Open Group Policy Management.  Expand the Forest and Domain, down to WMI Filters.



Right click WMI Filters and select New…



Type a Name (for 64 bit operating systems) for the Filter and a Description.  Click Add



Leave the Namespace as rootCIMv2

Type the Query

SELECT AddressWidth FROM Win32_Processor WHERE AddressWidth =’64’  and click OK



Click Save

 

Repeat the process, for 32 bit Operating Systems.  The Query is:

SELECT AddressWidth FROM Win32_Processor WHERE AddressWidth =’32’.

This can then be applied to a Policy



Some handy WMI filters for further separation:

Windows 7 32 bit:

select * from Win32_OperatingSystem WHERE Version like “6.1%” AND
ProductType=”1″ AND NOT OSArchitecture = “64-bit”

Windows 7 64 bit:

select * from Win32_OperatingSystem WHERE Version like “6.1%” AND
ProductType=”1″ AND OSArchitecture = “64-bit”

Windows 8 32 bit:

select * from Win32_OperatingSystem WHERE Version like “6.2%” AND
ProductType=”1″ AND NOT OSArchitecture = “64-bit”

Windows 8 64 bit:

select * from Win32_OperatingSystem WHERE Version like “6.2%” AND
ProductType=”1″ AND OSArchitecture = “64-bit”