lotte/ChamplainTechJournals
1
Code Activity
ChamplainTechJournals/sysadmin-ii-sys265/labs/lab06-ad-gpo-sw-deployment.md
Charlotte Croce fbd588721e migrate to git.charlotte.sh
2025-04-19 23:42:08 -04:00

3.7 KiB
Raw Permalink Blame History

AD Group Policy & SW Deployment

Prepare an OU, user & workstation

Before we get into configuring a Group Policy Object (GPO) within Active Directory (AD), lets set the AD stage to deploy a software package. Via AD Users & Computers, create a “Test OU”.

image

Use Powershell on AD01 via MGMT01 to create another OU called “Software Deploy”, move WKS01 and your regular named account into it, and then delete the Test OU.

# Create another OU called Software Deploy under charlotte.local
# Move WKS01 and your regular named account into it, and then
# Delete the Test OU 

# Get the domain Distinguished Name (DN)
$domainDN = (Get-ADDomain).DistinguishedName

# Create the "Software Deploy" OU
$swDeployOUDN = "OU=Software Deploy,$domainDN"
$swDeployOU = Get-ADOrganizationalUnit -Identity $swDeployOUDN
if($swDeployOU){
    Write-Host "'Software Deploy' OU already exists at $swDeployOUDN"
}else{
    New-ADOrganizationalUnit -Name "Software Deploy" -Path $domainDN -Description "Software Deployment OU"
    Write-Host "Created $swDeployOUDN"
}

# Move WKS01 computer to new OU
$computerDN = (Get-ADComputer -Identity "WKS01-CHARLOTTE").DistinguishedName
$targetOUDN = "OU=Software Deploy,$domainDN"
Move-ADObject -Identity $computerDN -TargetPath $targetOUDN
Write-Host "Computer $computerDN added to $targetOUDN"

# Move charlotte.croce-adm to new OU
$userDN = (Get-ADUser -Identity "charlotte.croce-adm").DistinguishedName
Move-ADObject -Identity $userDN -TargetPath $targetOUDN
Write-Host "User $userDN added to $targetOUDN"

# Remove the "Protect from accidental deletion" flag from Test OU and delete
$testOU = Get-ADOrganizationalUnit -Filter {Name -eq "Test OU"}
if($testOU){
    Set-ADObject -Identity $testOU -ProtectedFromAccidentalDeletion $false
    Remove-ADOrganizationalUnit -Identity $testOU -Confirm:$false
    Write-Host "Deleted $testOU"
}

Deploying Software via GPO

  • On MGMT01, download the current Putty x64-bit Windows Installer Package.
  • Next, create a Share on MGMT01 named Software and place Puttys .msi in it, so users and computers (via GPO) can access & install it shortly.
    • see SYS255 file share docs here. No need to map drive to letter
  • Via Group Policy Management feature on MGMT (You need to install this), create a new GPO named Deploy SW within the Software Deploy OU.
    image image
  • Edit the new GPO by creating a new Software installation, and assign Puttys .msi package to deploy.
    image
  • With the new GPO setting, run gpupdate /force on WKS01, and then allow the restart when prompted. PuTTY should now be installed

Note

An extremely common issue youll encounter in MS Window environments are the differences between Local Permissions vs. Share Permissions:

Local Permissions (also called NTFS Permissions): Permissions that are applied only Locally (and not Remotely) on the OS, and affects both Local (i.e. via keyboard) and Remote (i.e. via network) account access.

Share Permissions: Permissions that are applied only Remotely (and not Locally) to the OS, and affects only Remote (i.e. via network shares) account access.

If both Shared & Local Permissions are set, then MOST RESTRICTIVE PERMISSION WINS. #LeastPriledgeRules -- summary here