In this lab, I demonstrate how to deploy software (.msi and .exe) using Group Policy (GPO) in an Active Directory environment. The setup simulates a real-world scenario in which different departments receive different software packages based on their roles. First, I create two groups in Active Directory: ExecPCs and UserPCs. Then I deploy Google Chrome and Notepad++ to User PCs, and Google Chrome, Firefox, and Adobe Reader to Executive PCs. To validate the deployment and ensure that Group Policy was applied correctly, I use two test user accounts representing different roles: Hank McCoy (Username: Beast) – Chief Technology Officer and Bobby Drake (Username: Iceman) – Creative Marketing Director from Cerebro-AD-Creator
Create 2 Windows 10 machines and join them to the domain: Exec1 > Executive workstation and PC1 > Standard user workstation. To logically differentiate these machines, create two organizational units: ExecPCs and UserPCs.
On DC, Run CMD and type dsa.msc to shortcut your way into Active Directory Users and Computers. Right-click on the domain > New > Organizational Unit. Name it as ExecPCs. Do it again for UserPCs. Assign the computers from the default "Computers" organizational unit by dragging Exec1 to ExecPCs and PC1 to UserPCs.
.PNG)
.PNG)
If you need help joining machines to the domain, refer to Active-Directory-Home-Lab-Setup-Guide
On the Domain Controller (DC), go to Local Disk (C:) and create a folder named "Deployment" to store the installation files.
.PNG)
To obtain the installation files, search for the enterprise/offline installers (e.g., “download Chrome MSI”).
Download the official .msi versions for Google Chrome, Firefox, Notepad++ and the .exe installer for Adobe Reader from the official website. Move the setup files in this folder.
.PNG)
Go back and right-click on the folder> Properties > Click on the Sharing tab > Check "Share this folder". Change the name to Deployment$. "$" at the end will hide the path.
.PNG)
Remove the default Everyone group, as it includes all users, including unauthenticated accounts. We don't want unauthenticated users to access our files, as this is how malware and ransomware spread across the network. Instead, add "All Employees" and give them "Read" permission, ensuring that only authenticated users can access the shared folder while maintaining security.
.PNG)
We also need to give "Domain Computers" access.
.PNG)
Since my other user, Frank, with Admin Rights, is not in the All Employees group, I gave him access as well.
.PNG)
Copy the Network Path as we will need it soon.
.PNG)
Here is a screenshot from our two test computers before we progress further. PC 1 is on the left and EXEC1 is on the right. They are both running freshly installed Windows 10.
From Server Manager Dashboard > Tools > Group Policy Management.
.PNG)
First, we will deploy software to executives' computers. Expand lab.local to find the ExecPC group. Right-click on the ExecPC group > "Create a GPO in this domain and Link it here"
.PNG)
You can give any name; I named it "BrowserForExecutives". Click OK.
.PNG)
Right-click the GPO and click "edit" to configure it
.PNG)
Click "Policies" under Computer Configuration > Software Settings > Software Installation. Right-click on the blank window > New > Package
.PNG)
Paste the path location that we copied and click Open.
.PNG)
Select ChromeSetup.msi and click on Open
.PNG)
Click on Assigned and OK.
.PNG)
Repeat the same steps for Firefox. When it is done, close the Group Policy Managemet Editor.
.PNG)
Right-click on the User PC group > "Create a GPO in this domain and Link it here"
.PNG)
Give it a name
.PNG)
Right-click the GPO and click "edit" to configure it. Click "Policies" under Computer Configuration > Software Settings > Software Installation. Right-click on the blank window > New > Package
.PNG)
Repeat the same steps for Chrome and Notepad++ setup files. Paste the path \\DC01\Deployment$ into the File Name bar, same as before, and click Open to find the setup files.
.PNG)
Since GPOs are configured, go back to PC1 and Exec1 machines. On CMD, Type gpupdate /force to update GPOs and restart the PCs.
.PNG)
After the restart, log back in
.PNG)
Chrome and Notepad++ are installed on PC1 and Chrome and Firefox are installed on Exec1
.PNG)
Group Policy Software Deployment does not support .exe files directly. Thus, to deploy .exe applications, we will be using a PowerShell script in combination with Group Policy. Download Adobe Reader Script and save it to Desktop.
Return to Group Policy Management, right-click on ExecPCs, and select "Create a GPO in this domain and Link it here. Assign an appropriate name to the policy, "AdobeReaderForExec" in our case. You should see the newly created GPO appear as the second item in the list.
.PNG)
Right-click to edit. Click on Policies > Windows Settings > Scripts. Right-click on "Startup" and click Properties. Startup Properties windows will open, click on "PowerShell Scripts" tab, then "Add" button. Another window will open; click on "Browse". Copy the Adobe Reader script using Ctrl + C, then paste it using Ctrl + V into the window that opened previously when we clicked Browse. Click on the script, then click on Open.
.PNG)
Return to Exec1. Open CMD and update the GPOs by typing gpupdate /force. When it is done, restart the computer.
.PNG)
After waiting a couple of minutes, Adobe Reader should be installed.
.PNG)
The script checks whether Adobe Reader is already installed by verifying the existence of its installation directory. If the folder is not found, it silently installs Adobe Reader using the .exe installer from a network share. This is why the specific installation path is defined in the script. If the script is to be used for another application, the installation path must be updated based on where that software is installed.
.PNG)