installing software using startup scripts in group policy 2003

JR · 29-05-2008

Hi,
I am trying to figure out the best way to install software through
group policy when I dont have a .msi file. I have been able to
install .exe's using computer startup scripts in group policy. That is
pretty simple. But what I dont like is that the .exe will get
installed every time the startup script runs, even if it already has
the software, it will just re-install it over itself.

What I would like to do is create a vbs startup script that first
checks if the software is already installed, and if it is, then it
doesnt do anything, but if its not, then it will run the .exe file.
How do I go about doing this though?

If I apply the .bat file to the GPO, how do I call the .exe file from
it? I would assume I need to create a network share and map a drive to
it, but since startup scripts run as local system account, this wont
work. If I use a logon script though, I will be able to access a
share, but will still have problems since the users dont have local
admin access to install the .exe.

Am I just missing something? Can anybody give me a simple solution to
this dilemma?

Thanks,
JR

Richard Mueller [MVP] · 29-05-2008

"JR" <joshransom@hotmail.com> wrote in message
news:95826b89-a3b1-4ef9-b518-b1867773d229@z24g2000prf.googlegroups.com...
> Hi,
> I am trying to figure out the best way to install software through
> group policy when I dont have a .msi file. I have been able to
> install .exe's using computer startup scripts in group policy. That is
> pretty simple. But what I dont like is that the .exe will get
> installed every time the startup script runs, even if it already has
> the software, it will just re-install it over itself.
>
> What I would like to do is create a vbs startup script that first
> checks if the software is already installed, and if it is, then it
> doesnt do anything, but if its not, then it will run the .exe file.
> How do I go about doing this though?
>
> If I apply the .bat file to the GPO, how do I call the .exe file from
> it? I would assume I need to create a network share and map a drive to
> it, but since startup scripts run as local system account, this wont
> work. If I use a logon script though, I will be able to access a
> share, but will still have problems since the users dont have local
> admin access to install the .exe.
>
> Am I just missing something? Can anybody give me a simple solution to
> this dilemma?
>
> Thanks,
> JR

Startup scripts run with System privileges on the local computer (the local
system account you refer to), but with the privileges of the computer object
elsewhere in the domain. If the startup scripts needs permissions, for
example rights in a share, either grant the permissions to the computer
object, or better yet to a domain group, like "Domain Computers", the
computer is a member of. The startup script can be a batch file, VBScript,
or exe.

Logon scripts are more of a problem because they run with the user
privileges. Most users probably cannot install programs.

A batch file or VBScript can map a network share, copy a program, and run
the program. There are two ways to ensure the setup is run once. One is to
save the information in the local registry. I prefer to use what I call a
flag file, but others in the newsgroups call a semaphore file. Batch files
and VBScript programs can create files and check for their existence. The
steps would be:

1. Check for semaphore file. If it exists, quit.
2. Map the network share.
3. Copy the setup program to a local location (optional, for performance).
4. Run the setup silently, perhaps with setting so it installs for all
users.
5. Create semaphore file as a flag so the process is not repeated.

In a batch file I used to use something similar to this to create a flag
file.

echo.>c:\setup21.txt

You can save the semaphore file locally, but I like to save them on the
network so I can remotely monitor progress (so I know when deployment is
complete and I can remove the code to run the setup). You just need to have
a different semaphore file for each computer (if the deployment is to each
computer instead of each user). You can use the NetBIOS name of the computer
in the file name. For example, in a batch file:

echo.>\\MyServer\MyShare\%computername%21.txt

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

Richard Mueller [MVP] · 29-05-2008

"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
message news:OojR$3QwIHA.704@TK2MSFTNGP05.phx.gbl...
>
> "JR" <joshransom@hotmail.com> wrote in message
> news:95826b89-a3b1-4ef9-b518-b1867773d229@z24g2000prf.googlegroups.com...
>> Hi,
>> I am trying to figure out the best way to install software through
>> group policy when I dont have a .msi file. I have been able to
>> install .exe's using computer startup scripts in group policy. That is
>> pretty simple. But what I dont like is that the .exe will get
>> installed every time the startup script runs, even if it already has
>> the software, it will just re-install it over itself.
>>
>> What I would like to do is create a vbs startup script that first
>> checks if the software is already installed, and if it is, then it
>> doesnt do anything, but if its not, then it will run the .exe file.
>> How do I go about doing this though?
>>
>> If I apply the .bat file to the GPO, how do I call the .exe file from
>> it? I would assume I need to create a network share and map a drive to
>> it, but since startup scripts run as local system account, this wont
>> work. If I use a logon script though, I will be able to access a
>> share, but will still have problems since the users dont have local
>> admin access to install the .exe.
>>
>> Am I just missing something? Can anybody give me a simple solution to
>> this dilemma?
>>
>> Thanks,
>> JR
>
> Startup scripts run with System privileges on the local computer (the
> local system account you refer to), but with the privileges of the
> computer object elsewhere in the domain. If the startup scripts needs
> permissions, for example rights in a share, either grant the permissions
> to the computer object, or better yet to a domain group, like "Domain
> Computers", the computer is a member of. The startup script can be a batch
> file, VBScript, or exe.
>
> Logon scripts are more of a problem because they run with the user
> privileges. Most users probably cannot install programs.
>
> A batch file or VBScript can map a network share, copy a program, and run
> the program. There are two ways to ensure the setup is run once. One is to
> save the information in the local registry. I prefer to use what I call a
> flag file, but others in the newsgroups call a semaphore file. Batch files
> and VBScript programs can create files and check for their existence. The
> steps would be:
>
> 1. Check for semaphore file. If it exists, quit.
> 2. Map the network share.
> 3. Copy the setup program to a local location (optional, for performance).
> 4. Run the setup silently, perhaps with setting so it installs for all
> users.
> 5. Create semaphore file as a flag so the process is not repeated.
>
> In a batch file I used to use something similar to this to create a flag
> file.
>
> echo.>c:\setup21.txt
>
> You can save the semaphore file locally, but I like to save them on the
> network so I can remotely monitor progress (so I know when deployment is
> complete and I can remove the code to run the setup). You just need to
> have a different semaphore file for each computer (if the deployment is to
> each computer instead of each user). You can use the NetBIOS name of the
> computer in the file name. For example, in a batch file:
>
> echo.>\\MyServer\MyShare\%computername%21.txt
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>

From experience I would recommend that logon or startup scripts be
thoroughly tested before they are deployed. I create test OU's with test
computers and users, then apply a GPO to the test OU so I can test such
scripts. Any script needs to run fine when you run it, when a normal user
runs it, and also as logon or startup script. It's easy to make a mistake
and hard to troubleshoot these scripts.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--