IntelliMirror's software distribution is based on Windows 2000 group policies and gives the ability to manage software installations on Windows 2000 clients. (or newer) It can be used to install, update and remove software on specific computers or for specific users.
The Windows installer service is responsible for installing, maintaining or removing the applications on the clients. It exists of three components :
| An operating system service to install, maintain or remove the applications. |
| Windows Install Package files (.msi) that contain all the information about the application. (programs, registry settings, etc.) |
| An api that interfaces with the operating system. |
The installer services monitors the state of an application and is able to repair it if problems do occur. The executable used by the Windows installer service is msiexec.exe.
| Overview of the Windows installer technology in Windows 2000 (Q242479) |
| Overview of the Windows installer technology in Windows XP/.Net server (Q310598) |
There are three types of installer packages :
| Native Windows installer packages. These packages where designed to be used as .msi file. They support on-demand installation (only parts of the application can be installed) and are self-repairing. A user does not need administrative privileges to install the application. |
| Repackaged Windows installer packages. These packages provide the
same functionality as native Windows installer packages but cannot be used to
install a part of the application. The repackaged .msi files can be created
with WInstall which is available on the Windows 2000 cd or with other 3th
party tools. (valueadd\3rdpary\Mgmt\Winstle\Swiadmle.msi) HOW TO: Create third-party Microsoft installer package (MSI) (Q257718) |
| Existing setup programs. If it is not possible to get or create an
msi-file, setup.exe or install.exe can be stored into a .zap file. This is a
text file that only can be used to publish applications. It does not support
the Windows installer functions so a user needs enough rights to install the
application. HOW TO: Publish non-MSI programs with .zap files (Q231747) -> For additional options (e.g URL, LCID, extensions, CLSID) in ZAP files see Windows 2000 resource kit chapter 23 'Software installation and maintenance'. |
Windows installer packages can be customized, e.g. to remove part of the application, by transforms. A transform is a specialized Windows installer package (.mst) that is associated with a .msi file.
An software patch is distributed as a .msp file that is associated with the original .msi file.
After the installer packages are available, you need to create a software distribution point. This is a share that contains the installer packages and the associated programs. Normally users will only have read permissions on this share. DFS shares can be used to create fault-tolerance and to spread the load.
| DFS and software distribution interaction (Q285827) |
Via the group policy snap-in for a site, domain or ou, you can create a group policy to assign or publish applications. First open the group policy windows and select Computer Configuration - Software settings - Software installation (assign applications to computers) or User Configuration - Software settings - Software installation (assign or publish applications to users). On the properties you can set the following items :
| General tab
| ||||||||
| Advanced tab (.NET server only) Uninstall the application when they fall out of the scope of the management. Include OLE information when deploying applications. Make 32-bit X86 Windows installer packages available to Win64 machines. Make 32-bit X86 down-level (ZAP) applications available to Win64 machines. | ||||||||
| File extensions tab Associate files with a specific application. When no application is installed or assigned for a specific file extension, the application with the highest ranking in the file extension tab is installed. | ||||||||
| Categories tab Create categories in the Add/Remove tab to create a better overview of the published applications. These categories are available per domain, not per group policy object. |
On a package you can modify the following settings :
| General tab
| ||||||||||||||||||||||||||
| Deployment tab
| ||||||||||||||||||||||||||
| Upgrades tab
| ||||||||||||||||||||||||||
| Categories tab
| ||||||||||||||||||||||||||
| Modifications tab
| ||||||||||||||||||||||||||
| Security tab
|
The security on the group policies can be used to determine which user or
machine will get the application(s) published or assigned.
Applications assigned to users will be available the next time when the user
logs on. It will be installed when the user activates the application by
selecting the icon or by using a file-association. The user can remove the
assigned application.
Applications assigned to computers will be installed the next time the computer
starts. Only users with administrative permissions can remove the application.
Applications that are published to users are only available via the Add/Remove
option in the control panel. The user can remove the application if wanted.
Windows installer options can be customized with group policies. (administrative templates\Windows components\Windows installer) One of the options is the logging during the installation of .msi files in msi.log.
Sysdiff is resource kit utility used to take a snapshot of a computer before an installation takes place. Then something is installed and another snapshot is taken. The differences in the files and registry are noted and copied and a package is available. To take the first snapshot run SYSDIFF /snap /log:logfile snap_file. Then install the program and run SYSDIFF /diff /log:logfile /c:"comment" snap_file diff_file. This will create the difference file. You can add a difference file to a distribution server or ran it individual on another machine. To run it on another machine use SYSDIFF /apply /m /q diff_file. /m will create the icons for a default user, /q will ignore error messages during the installation. Use sysdiff /inf /m dif_file oem_root to copy the inf file and the changes to a distribution/installation directory. Use to [GuiRunOnce] section in the answer-file to apply the application. You can use sysdiff /dump to export the file to a readable format.
Keep in mind that the systemdirectory (incl. driveletters) must be the same as on the machine where the snapshot was taken. Also a hotfix is available for Sysdiff on Windows 2000.
You can change sysdiff.inf to change the directories and registry-entries that are monitored for changed.
The Microsoft software inventory analyzer can be used to check which Microsoft software is installed on local and remote systems.
The resourcekit utility Appsec can be used to restrict access to applications.
| Using the Application Compatibility toolkit |
| HOW TO: Use appsec to restrict access to programs (Q320181) |
| Appsec tool in Windows 2000 resource kit is missing files (Q257980) |
| Using software restriction policies to protect against unauthorized software |
Last update : 12 January 2003
