+ Post New Thread
Results 1 to 6 of 6
Coding Thread, GPO S/W deployment status..? in Coding and Web Development; Some thinking out loud following on from this thread . Any comments, especially thoughts on why anything will or won't ...
  1. #1

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    114

    GPO S/W deployment status..?

    Some thinking out loud following on from this thread. Any comments, especially thoughts on why anything will or won't work, is ridiculous or whatever are welcome.I spent a couple of hours earlier on a Quick Win[tm] which is a small, relatively quick app you run via a computer startup script:

    a) If there have been any changes since last time it trawls through the registry s/w uninstall keys and creates/overwrites a local file containing info for each app.
    b) If there have been any new MsiInstaller events since last time these are appended to another file. I still need to think about filtering these events.
    c) Creates a H/W inventory and then creates/overwrites a file if that inventory is different from last time.

    Any new/changed files are then copied to a network share obtained from a policy setting. Server-side I've made a simple GridView app to display info from the relevant s/w uninstall file that is launched from the ADUC computer context menu. Haven't done viewers for the others yet (I'm not that fond of GUI dev).

    ---

    So far so good, but I want to add in GPO s/w assignments for a given computer e.g. to easily see that package X was assigned but has installed or failed to install. OK, with enough effort I can trawl through a computer's AD path, find any enabled linked GPOs, figure out if they apply to the computer, find which of those have SI policy and figure out whether the computer has appropriate security permissions for any given package within an applicable GPO.

    GetEffectiveRightsFromAcl() will likely get used on any AD GPO/ Package object with non-inherited ACEs unless anyone knows it doesn't work or of an alternative in .net? Undecided, but I'm also contemplating just grabbing the list of applied GPOs (and critically their version numbers) from the registry as part of the client-side s/w uninstall key dumping - would save me working out which ones are relevant to a given computer and could be handy as a "GPO application or maybe Sysvol replication is stuffed" detector.

    ---
    One way or another the latter should be doable, but what I really want is to be able to R-click an OU to launch an app that displays S/W status for all the computers under that OU.

    The bit that's bothering me here is scalability - I'll be happy if it works well enough for hundreds (folk with thousands can go shop) and reading/processing hundreds of simple little files server-side isn't that big a deal. But efficiently sorting out the package assignments, that is checking lots of computers against AD GPO and individual package security permissions, could be a bit tough. Guess I'll have to round up (cache) info about all GPOs in AD that have SI policy, their permissions, packages and any packages specific permissions the start of time - haven't thought any further.

    One thing I don't want to do is throw any services/agents at this - I definitely don't want anything running all the time client-side and yeah it would probably help somewhere, but I really don't want (yet another pesky) database running server-side.
    Last edited by PiqueABoo; 1st January 2009 at 10:26 PM.

  2. #2

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,707
    Thank Post
    829
    Thanked 2,571 Times in 2,188 Posts
    Blog Entries
    9
    Rep Power
    731
    This sounds quite simmilar to this software: Software deployment & distribution - Specops Deploy

    Personally I would be looking at WMI to grab the software inventory ans install status as it runs in the background anyway on workstations.

  3. #3

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    114
    Difference is I'm just looking at getting some reporting for native GPO deployment for free. SpecOps is a complete deployment system with background BITS xfers etc., costs money and there appears to be a show-stopping 2K8 GPME support hole.

    WMI with Win32_Product? I did look at that but unless I'm missing something I can quickly get all that plus more potentially useful info to play with from the registry e.g. hotfixes, EXE installs (most of which do make an uninstall sub-key) etc.

  4. #4

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,707
    Thank Post
    829
    Thanked 2,571 Times in 2,188 Posts
    Blog Entries
    9
    Rep Power
    731
    Yea, I was aware of the costs etc just pointing it out as a source of ideas and proof of concept as most of it is built on top of AD.

    The registry way will grab lots of information but does require the app to run against the registry, probably locally. With WMI you can run it either locally or triggered over the network at any time while the system is running. It also isolates the software from issues caused by different implementations in different systems (2k, XP, Vista).

    You can easily grab the hotfix information as well using WMI along with vast ammounts of other information. I have a system that uses a WMI script on logon to populate a hardware invertory which works really well. Here are some resources that may be helpful:

    Hardware and software/hotfix inventory:
    CodeProject: WMI hardware/software enumeration script. Free source code and programming help

    RSoP group policy status:
    Group Policy Scripts
    RSoP WMI Classes (Windows)

    WMI Explorer to dig about and see whats avalible:
    WMI Explorer

    This bit of freeware also seems to implement some of the features that you are after so it could be a source of ideas:
    Group Policy Inventory 1.0.1361.27800

    Thea easiest way to get at GPO stuff would be to use the GPMC scripting stuff which should nicely wrap a lot of the tasks:
    Group Policy Management Console Scripting Samples (Windows)
    I don't think that the raw codebehind is encrypted so you should be able to see the actual methods used in the sample scripts.

    ADSI is probably the easiest way to access and manage the GPO links without GPMC installed:
    Get GPOs using LDAP

    I would be interested in seeing where you get to with this as this functionallity would be very useful.

  5. #5

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    114
    but does require the app to run against the registry, probably locally
    Absolutely, but "locally" is a core requirement for me - this needs to work when at any given time a significant proportion of the domain's machines are stubbornly offline (laptops at home, machines that are not going to WOL in a month of Sundays or whatever). Computer start-up when connected to the domain is when SI status can change, so that's a good time to capture what has changed... assuming I can make that happen after any installs have finished.

    Manually triggered remote queries of machines can be useful and there's nothing much to stop me using say psexec or WMI to remotely kick off that local app to refresh the data for a machine, but if that's the only way to do it them I'd have to keep kicking scans off and would probably never get a full set of current SI data for the domain.

    Hardware and software/hotfix inventory:
    Cor.. that is verbose. I made something like that just for h/w once and also in JS, but settled for a lot less info. Kind of relieved to see it has the same network adapter issues as mine - it reckons I've got 39! I just reported the first two which works on clean boxes, but not here.. side-effect of cloning old laptop which had VPN, VMWare, MS vnet adapters etc.

    That script doesn't report the EXE installers (that show via add/remove). It did hotfixes much better than me, but that prompted me to figure out where WMI gets them from - underneath another regkey. Could be what I've used it for in the past, but for me WMI is synonymous with "slow" whereas dumping info from the registry has been fast.

    ADSI is probably the easiest way to access
    Agreed, although it will probably be dotNet and system.directoryservices which is essentially a wrapper for ADSI. Scripts can do pretty much anything in AD including get and set ACEs, but in practice they're not so fast and you can't multi-thread your way around time.

    Even with MT a second spent on 500 clients is much better than work at the server so the more I can get the client to tell me the better. Currently digging around in the appmgmt folder in %windir%\system32 and wondering if I'll ever find decent documentation on values such as "AppState" that appear under a packages GUID here:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Group Policy\AppMgmt

    Don't know if all applicable package GUIDs turn up there and whether say that AppState would indicate a failure (or perhaps there's useful info about that in the corresponding Installer regkey). Will have to make some MSI destined to fail and observe.

    This is in the registry neighbourhood where you can get the computer's applied GPOs and version numbers etc. Looking around I *might* be get almost everything I want from there and only need to scratch AD at the server-side of this.

  6. #6

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,707
    Thank Post
    829
    Thanked 2,571 Times in 2,188 Posts
    Blog Entries
    9
    Rep Power
    731
    Sorry, wasn't suggesting that you used the scripts directly but rather looked at the methods and values used as most of these are easy enough to convert into a proper bit of sotware in a real language especially with .net.

    Whichever method you end up using it could be triggered at machine startup like the machine startup script.

    You are right about the WMI stuff only showing the MSI based stuff but if you were using this solely to check out the status of deployed packages this limitation does not really matter.


    As to AppState here is what I found:
    GPanswers.com :: View topic - Uninstall this application when it falls out of the scope...
    DWORD of 9 = normal (leave alone)
    DWORD of 11 = uninstall
    The other states appear to be listed here:
    LOCALMANAGEDAPPLICATION Structure (Windows)
    dwState

    Indicates the state of the installed application. This parameter can contain one or more of the following values.Value Meaning

    LOCAL_STATE_ASSIGNED
    The application is installed in the assigned state.

    LOCAL_STATE_PUBLISHED
    The application is installed in the published state.

    LOCAL_STATE_UNINSTALL_UNMANAGED
    The installation of this application uninstalled an unmanaged application with a conflicting transform.

    LOCAL_STATE_POLICYREMOVE_ORPHAN
    If the policy from which this application originates is removed, the application is left on the computer.

    LOCAL_STATE_POLICYREMOVE_UNINSTALL
    If the policy from which this application originates is removed, the application is uninstalled from the computer.
    but the integer values that go with the constants are locked away somewhere in the Appmgmt.h header file from the Windows SDK.

SHARE:
+ Post New Thread

Similar Threads

  1. Software deployment via GPO
    By leco in forum How do you do....it?
    Replies: 17
    Last Post: 8th August 2008, 11:04 AM
  2. Easiteach Player 3.3 GPO deployment
    By meastaugh1 in forum Educational Software
    Replies: 7
    Last Post: 30th January 2008, 12:19 PM
  3. AD GPO Software Deployment..
    By Grommit in forum Windows
    Replies: 7
    Last Post: 21st August 2007, 09:27 AM
  4. GPO Deployment
    By Gambit in forum Windows
    Replies: 5
    Last Post: 29th May 2007, 01:05 PM
  5. Software Deployment Via GPO - HELP!
    By rlculver in forum Network and Classroom Management
    Replies: 7
    Last Post: 22nd April 2007, 09:53 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •