Forum

GPO ile Program Y&#...
 
Bildirimler
Hepsini Temizle

GPO ile Program Yükleme Yetkisi Verme

24 Yazılar
14 Üyeler
0 Reactions
2,974 Görüntüleme
(@Anonim)
Gönderiler: 0
Konu başlatıcı
 

Merhabalar,

Group policy ile domainimizdeki kullanıcılarımıza program yükleme yetkisi vermek istiyoruz..Kullanı
cıların tümü domain user grubunun üyesi,

Birçok hakları GPO lar ile kısıtlanmış durumda..( Sistem saatini değiştiremez, program yükleyemez
gibi )

Yapmak istedigimiz Group Policy ile domain userların üyesi oldugu grubu değiştirmeyerek (bu şekilde
isteniyor) sadece program yükleme yetkisi vermek istiyoruz.

Aynı zamanda local admin haklarıda ellerinden alınmış durumdadır.

İnternette arama yaptım ama somut şeyler bulamadım.

Fikri olan varmı ?

 
Gönderildi : 30/06/2008 22:53

(@fatihkaraalioglu)
Gönderiler: 3039
Illustrious Member
 

Merhaba;


Bütün hakları kullanıcıdan almışken, tekrardan bir takım hakları vermek için çaba göstermemeyi tavsiye ederim. Microsoftda bunun için zaten Yazılım dağıtma Policy' sini oluşturmuştur. MSI uzantılı dosyalarınızı veya 3rdParty Program vasıtasıyla EXE uzantısına vb.. executuable programları yukleyebilirsiniz.


Aşağıda ki makalede Yazılım Policyisi ile Office 2007' nin GPO ile dağıtımı anlatılmıştır. Fikir vermek adına yardımcı olacağını düşünüyoru.


Use Group Policy Software Installation to deploy the 2007 Office system



If you use Active Directory in your organization, you can use Group Policy Software Installation with the 2007 Microsoft Office system to assign products to all computers in a group.


Overview of Group Policy Software Installation



Group Policy Software Installation is an extension of the Group Policy Object Editor Microsoft Management Console (MMC) snap-in that administrators can use to manage software. Administrators can assign applications to users or computers, or publish applications for users.


Administrators can assign software on a per-user or per-computer basis when an organization does not want to give users the choice to install or remove the software. For example, if a user removes a user-assigned application by using Add or Remove Programs in Control Panel, the Group Policy Software installation extension automatically reapplies the advertisement information after the user logs on or the computer restarts. The software is reinstalled the next time a user selects it or tries to open a file with an associated file name extension. It is not possible for a user to delete a computer-assigned application. In most cases, packages that are assigned to users or computers include applications that are essential, but that do not create network congestion between clients and the software distribution points.


Group Policy-based software deployment also enables administrators to publish software for users only. When this method is used, users can install the software from a list of published applications in Add or Remove Programs in Control Panel.


Deploying 2007 Office with Group Policy Software Installation



You can use the Software Installation extension of Group Policy to deploy the 2007 Office system to computers if the following conditions exist:




  • Small organizations that have already deployed and configured Active Directory



  • Organizations or departments that comprise a single geographic area



  • Organizations with consistent hardware and software configurations on both clients and servers


For more information about Group Policy Software Installation, see Group Policy Software Installation and Group Policy Software Installation Extension Technical Reference on the Microsoft TechNet Web site.


Deployment considerations



Although administrators can use Group Policy Software Installation to deploy the 2007 Office system to computers in small organizations, there are limitations to using this approach. It is important to carefully consider these issues as you determine the deployment method that best meets your deployment requirements. These limitations include:




  • Difficulties with scheduling installation, consistently managing network bandwidth, and providing feedback on the status of the installation. If your organization needs to provide these capabilities, consider using Microsoft Systems Management Server 2003 R2. For more information, see Deploying the 2007 Microsoft Office System with Microsoft Systems Management Server 2003 R2.



  • Limited scalability. Some difficulties might occur during Group Policy Software Installation deployment of 2007 Office suites to more than 200 computers simultaneously; this depends largely on network bandwidth availability.



  • Limited ability to customize features or user settings before installation of the 2007 Office system. Administrators cannot use a Setup customization file (.MSP) created with the Office Customization Tool (OCT) to apply customizations for initial deployment. These customizations must be made in the Config.xml file.








    NoteNote

    Not all of the customization provided in an .MSP file can be provided with a Config.xml file. Administrators may use a script to apply an .MSP file after initial deployment. Since the installation source cannot be modified, nor can an .MSP file be deployed, administrators must use an alternate method to update the clients for the 2007 Office system service packs or other updates. One possible approach is to use Microsoft Windows Server Update Services 3.0 (WSUS 3.0) for updates.


    For information about WSUS, see Microsoft Windows Server Update Services 3.0 Overview and Step-by-Step Guide to Getting Started with Microsoft Windows Server Update Services 3.0 on the Microsoft TechNet Web site.



  • Group Policy Software Installation can only be used for per-computer installations for the 2007 Office system.



  • Challenging to maintain, because updates must be applied to all client computers. This can be done by using a logon script or other delivery method. It is not possible to use the Updates folder to apply security updates or service packs for initial deployment of the Group Policy object (GPO).








NoteImportant

If you manage large numbers of clients in a complex or rapidly changing environment, Microsoft Systems Management Server is the recommended method for installing and maintaining the 2007 Office system in medium- and large-sized organizations. Microsoft Systems Management Server offers more sophisticated functionality, including inventory, scheduling, and reporting features. For information about using Microsoft Systems Management Server to deploy the 2007 Office system, see Using Systems Management Server 2003 to deploy the 2007 Office system.


As an alternative to using Group Policy Software Installation, administrators can also use Group Policy to assign computer startup scripts to deploy the 2007 Office system. For more information, see Use Group Policy to assign computer startup scripts for 2007 Office deployment.


In this topic


Using Group Policy Software Installation


Deploying new installations of Office


Upgrading previous versions of Office


How it works


Applying customizations to the Office installation


Modifying the Config.xml File OptionState element


Using Group Policy Software Installation



The following procedures use the Group Policy Object Editor MMC snap-in from the Group Policy Management Console to edit the GPO. The procedures assume you have already installed GPMC. You can download GPMC from the Microsoft Download Center site. See Download Group Policy Management Console (GPMC) for more information. If you are using Windows Vista, GPMC is integrated into the operating system.


For more information and procedures for using these tools, see the Group Policy Management Tools and Using Group Policy Management Console and Group Policy Object Editor sections in Enforce settings by using Group Policy in the 2007 Office system.








NoteNote

The following procedures assume that you previously created a network installation point for the 2007 Office system on a network server. For more information, see Create a network installation point for the 2007 Office system. Ensure that the user permissions to the network installation point folder that contains the 2007 Office system source files and any customized files are as follows: Read, Read & Execute, and List Folder Contents.


To complete the following procedures, you must log on as a member of the Domain Administrators security group, the Enterprise Administrators security group, or the Group Policy Creator Owners security group. To use Group Policy Software Installation, you must create a new GPO or edit an existing GPO for a site, domain, or organizational unit. You must then link the GPO to the site, domain, or organizational unit to which you want to deploy the 2007 Office system.


You must fully test this deployment method in a test and staging environment before you deploy applications to computers in your production environment. For more information, see Staging Group Policy Deployments in the Designing a Managed Environment book of the Windows Server 2003 Deployment Kit on the Microsoft TechNet Web site.


Deploying new installations of Office



If this is a new installation of the 2007 Office system, you can deploy Office by assigning it to computers within a GPO that is associated with a particular Active Directory container such as a domain or organizational unit. Computer-assigned applications are installed the next time the computer restarts.


To deploy Office using Group Policy-based Software Installation





  1. Open Group Policy Management console. Click Start, click Control Panel, click Administrative Tools, and then click Group Policy Management.



  2. In the console tree, double-click Group Policy Objects in the forest and domain that contain the GPO that you want to edit. This is located in Forest name, Domains, Domain name, Group Policy Objects.



  3. Right-click the GPO you want to modify and click Edit. This opens Group Policy Object Editor.



  4. In the left pane in Group Policy Object Editor, expand the Computer Configuration tree.



  5. In the left pane, expand Software Settings and select Software Installation.



  6. Right-click in the right pane, point to New and click Package.



  7. In the Open dialog box, browse to the network installation point you created and select the Windows Installer (MSI) file in the main product folder of the Office product that you are installing. For example, for Microsoft Office Enterprise 2007, select Enterprise.WW\EnterpriseWW.msi.



  8. Click Open.



  9. Select Assigned to use the default options, or select Advanced to customize these options.



  10. Close all dialog boxes.








    NoteNote

    If you are deploying 2007 Office in languages other than U.S. English, you should also deploy the ShellUI.MST transform file. Transforms (.mst files) are customizations that are applied to Windows Installer packages (.msi files) at the time of application assignment or publication, not at the time of installation. The following procedure explains how to add the transform to application packages. With the exception of the ShellUI.MST file, transforms are not supported in Office 2007. For information about Office Setup, see What's new in Setup in deployment architecture.


To add modification to application packages





  1. Open Group Policy Software Installation.



  2. In the console tree, right-click Software installation, point to New, and then click Package.



  3. In the Open dialog box, click the Windows Installer package, and then click Open.



  4. In the Deploy Software dialog box, click Advanced, and then click OK.



  5. In the properties dialog box for the package, click the Modifications tab.



  6. To add modifications, click Add. In the Open dialog box, browse to the transform file (.mst), and then click Open.



  7. Click OK.








    NoteNote

    When you click OK, the package is assigned or published immediately. For more information about using Group Policy Software Installation, see Group Policy Software Installation on the Microsoft TechNet Web site.


Upgrading previous versions of Office



If you deployed a previous version of Office by assigning it to computers using Group Policy-based Software Installation, you can upgrade those installations by editing the associated GPO.








NoteNote

The following procedure assumes that you deployed the previous version of Office by using Group Policy Software Installation to assign Office to computers. If you deployed Office by assigning or publishing the application to users, or if you used a deployment method other than Group Policy, the existing version of Office will not be upgraded if you use this procedure. Instead, the previous version of Office remains on the computer when the 2007 Office system is installed. To remove the previous version of Office you must uninstall Office.


To upgrade Office using Group Policy-based Software Installation





  1. Open Group Policy Management console. Click Start, click Control Panel, click Administrative Tools, and click Group Policy Management.



  2. In the console tree, double-click Group Policy Objects in the forest and domain that contain the GPO that you want to edit. This is located in Forest name, Domains, Domain name, Group Policy Objects.



  3. Right-click the GPO you want to modify and click Edit. This opens Group Policy Object Editor.



  4. In the left pane of Group Policy Object Editor, expand the Computer Configuration tree.



  5. In the left pane, expand Software Settings and select Software Installation.



  6. Right-click in the right pane, point to New and click Package.



  7. In the Open dialog box, browse to the network installation point you created and select the Windows Installer (MSI) file in the main product folder of the Office product that you are installing. For example, for Microsoft Office Enterprise 2007, select Enterprise.WW\EnterpriseWW.msi.



  8. Click OK.



  9. Select Assigned to use the default options, or select Advanced to customize these options. The Published option is disabled because you cannot publish Office to a user.



  10. In the details pane, right-click the Windows Installer package that will function as the upgrade (not the package to be upgraded).



  11. Click Properties and click the Upgrades tab.



  12. Click Add to create or add to the list of packages that are to be upgraded by the current package.



  13. Under Choose a package from, click Current Group Policy object (GPO) or A specific GPO as the source of the package to be upgraded. If you click A specific GPO, click Browse, and click the GPO that you want to use.



  14. Click the package for the previous version of Office that you want to upgrade.



  15. Click Uninstall the existing package, then install the upgrade package.



  16. Close all dialog boxes.


How it works



The 2007 Office system consists of a number of MSI files. None of the files by itself represents the complete installation. However, you assign the 2007 Office system by assigning only the main product MSI file. The next time the computer starts, this MSI file is accessed and a Windows Installer Custom Action recognizes that Office is deploying with Group Policy. The additional Office MSI and support files are then retrieved from the network installation point and the complete product is installed.


If a previous version of Office is being upgraded, that version of Office is uninstalled before the new installation of the 2007 Office system starts.


Applications assigned to a computer are resilient. If an administrator removes an Office application from the computer, Windows reinstalls the application the next time the computer starts. Users can repair Office applications on the computer, but only an administrator can remove applications.


Applying customizations to the Office installation



Because of the way Setup runs when Office is installed, there are some limitations on the number of installation options that you can customize when you deploy the 2007 Office system with Group Policy-based Software Installation. The following limitations apply:




  • All customizations must be made in the Config.xml file. Setup does not apply Setup customization files that you create using the OCT. For more information about using the Config.xml file, see Config.xml file in the 2007 Office system.



  • The customized Config.xml file must be located in the main product folder of the product you are installing. Because you cannot specify command-line options for Setup when you assign Office, you cannot specify an alternate location for the Config.xml file. For example, if you are installing Office Enterprise 2007, you customize the Enterprise.WW\config.xml file.



  • You can customize only the Config.xml elements shown in the following table. These options are set when Office is assigned, and they cannot be modified later when Office is fully installed. All other elements in the Config.xml file are ignored.




















Option Config.xml element

Installation location


INSTALLLOCATION


Feature installation states


OptionState


Product key


PIDKEY


Add or remove a language


AddLanguage, RemoveLanguage


Modifying the Config.xml file OptionState element



The OptionState element of the Config.xml file specifies how individual product features are handled during installation. Administrators can modify the Config.xml file by configuring attributes for the OptionState element. Administrators can specify the following behaviors:




  • The feature or sub-feature is not installed.



  • The feature or sub-feature is installed the first time it is used by the user.



  • The feature or sub-feature returns to its default installation state.



  • The feature or sub-feature is installed locally on the user's computer.



  • Sub-features of the feature are set to the specified state.


OptionState Syntax



The OptionState element uses the following syntax. The attribute and element names are case sensitive.


<OptionState Id="optionID" State="Absent" | "Advertise" | "Default" | "Local" [Children="force"]/>


where:


optionId is the identifier for a feature or sub-feature to install.


Absent specifies that the feature or sub-feature is not installed.


Advertise specifies to install the feature or sub-feature on first use.


Default returns the feature or sub-feature to its default state. This is the default setting.


Local installs the feature or sub-feature on the user's computer.


Force sets all features or sub-features to their specified states.


OptionState Id Values



The value for the Id attribute of the OptionState element is located in the Setup.xml file in the product folder of the product you are installing. For example, if you are installing Office Enterprise 2007, the file is Enterprise.WW\setup.xml. For a list of OptionState Id Values, see Config.xml file OptionState Id values.








NoteTip

If you set the installation state of an application in Office to "Absent", the shortcut for that application is not created on the user's computer when Office is assigned. For example, the following element definition in Config.xml prevents the shortcut for Microsoft Office Word 2007 from being created and Word is not installed on the user's computer:



<OptionState Id="WORDFiles" State="Absent" />

To modify the OptionState element in Config.xml





  1. Open the Config.xml file in a text editor tool, such as Notepad.



  2. Locate the line that contains the OptionState element, as shown in the following example:


    <!-- <OptionState Id="OptionID" State="absent" Children="force" /> -->



  3. Modify the OptionState element entry with the options you want to use. For example, use the following syntax if you do not want Microsoft Publisher to be installed:


    <OptionState Id="PubPrimary" State="absent" />



  4. Repeat the preceding step to specify OptionState options for other features and sub-features you want to modify.



  5. Save the Config.xml file in the same folder that contained this file before you edited it.


For more information about the OptionState element of the Config.xml file, see the OptionState element in Config.xml file in the 2007 Office system.


Download this book



This topic is included in the following downloadable book for easier reading and printing:



See the full list of available books at Downloadable books for the 2007 Office Resource Kit


See Also


 
Gönderildi : 30/06/2008 23:10

(@Anonim)
Gönderiler: 0
Konu başlatıcı
 

Fatih bey öncelikle cevabınız için teşekkür ederim.


 Askeri bir ortamda sistemi yönetmeye çalışıyorum.. Fakat bazı şeylere ben degil sorumlu oldugum kişiler karar veriyor..


Bende tabiki gönderdiginiz makaleyi uygulamak isterdim fakat ne yazıkki buna ben karar veremiyorum..


Tek bir program dagıtımı sözkonusu degil, kullanıcılar sürekli program yükleyebilir ve silebilir hale gelmesi gerekiyor..


İlginize tekrar teşekkürler..

 
Gönderildi : 30/06/2008 23:16

(@Anonim)
Gönderiler: 0
Konu başlatıcı
 

Bilgisi veya deneyimi olan var ise cevaplarsa sevinirim...

 
Gönderildi : 02/07/2008 19:38

(@serhatakinci)
Gönderiler: 4117
Famed Member
 

Merhaba.


Bu kararı alan kişilerin bilmesi gereken bir nokta var.


Program kurulumu demek, programın çalışması için gerekli olan


- dll dosyalarının c:\windows\system32 veya ilgili dizine atılması, register edilmesi..


- sistem dosyalarının, program files veya ilgili dizin altına atılması..


- registry altında gerekli anahtarların oluşturulması..


.. gibi yetki gerektiren işlemleri kapsar (istisnalar olabilir). Bir user'ın bu tip işlemleri gerçekleştirmesi için yetkiye ihtiyacı vardır ama bu tip bir yetki tanımı GPO içerisinde yoktur. Bu tasarımsal bir durumdur ve böyle kalmak zorunda dır.


User hesabı üzerinde program kurabilmek için:


Farklı Çalıştır veya GPO ile yazılım dağıtma işlemleri kullanılır. Yada en düşük yetki olarak localde "Power Users" gurubu kullanılır.


Askeriyede imkansız diye bir kelime yoktur ama malesef durum böyle 🙂


 


 

 
Gönderildi : 02/07/2008 20:14

(@cemengin)
Gönderiler: 923
Noble Member
 

hocam kaçtane client var bilmiyorum ama cilent ları local admini yaparsan sorun ortadan kalkar sonra kafana göre yasak cakarsın

 
Gönderildi : 02/07/2008 20:26

(@ismailcelikbas)
Gönderiler: 316
Reputable Member
 

OBİ de bu durumlarlar olmaması lazim ama nerden cıktı ise, local admin olmaz sanırım..

 
Gönderildi : 02/07/2008 20:35

(@Anonim)
Gönderiler: 0
 

komutanlarınızın istediği şey sanırım 'kullanıcı koşsun ama bacakları tutmasın' gibi birşey. tabii "askeriye de mantık yoktur" lafını çok duymuşuzdur ama burda teknik bir olay var, bence bunu güzel birşekilde açıklayıp farklı bir yoldan olayı çözmeye çalışmanız lazım.

domain user ları power user grubuna dahil edebilirsiniz ama power user ile de her türlü programı kuramazsınız, yetersiz kalır. 

 
Gönderildi : 03/07/2008 12:31

(@Anonim)
Gönderiler: 0
Konu başlatıcı
 

Hocam ilginize teşekkür ederim...


 GPO lar ile yetki tanımlamasını bitirdim ve domain userlar üzerine tanımlamayı yaptım..


Tanımladıgım yetkiler dahilinde , Program yükleyip kaldırabiliyor .. 


Üye oldugu grubu değiştirmeden GPO lar ile kullanıcının üye oldugu gruba yetki tanımlamak mümkün arkadaşlar..


Bir çok forumda bunu yapamazsın dediler ama ben yaptım ve saglıklı bir şekilde çalıştı..


Bilgilerinize..


 


 

 
Gönderildi : 04/07/2008 14:28

(@serhatakinci)
Gönderiler: 4117
Famed Member
 

O halde çok merak ediyoruz nasıl yapıldığını. Bizimle de paylaşır mısınız?

 
Gönderildi : 04/07/2008 14:40

(@Anonim)
Gönderiler: 0
Konu başlatıcı
 

anahtarlar bir hayli çok bunları text haline getirip burada paylaşıcam..

 
Gönderildi : 05/07/2008 12:42

(@serhatakinci)
Gönderiler: 4117
Famed Member
 

Peki bekliyoruz

 
Gönderildi : 06/07/2008 02:12

(@cozumpark)
Gönderiler: 16307
Illustrious Member Yönetici
 

Bende çok merak ettim şimdi.

 
Gönderildi : 06/07/2008 15:38

(@huseyinertugrul)
Gönderiler: 1112
Noble Member
 

Ben de merak ettim [:)]

 
Gönderildi : 07/07/2008 16:22

(@BtExpert)
Gönderiler: 114
Estimable Member
 

yapan arkadaş yayınlarsa bende aynısını yapmak istiyorum 🙂

 
Gönderildi : 10/07/2008 18:47

(@DenizVerman)
Gönderiler: 1289
Noble Member
 

sayın mula bize gönderecktiniz ne oldu acaba...

 
Gönderildi : 21/07/2008 20:38

(@adilaltun)
Gönderiler: 116
Estimable Member
 

Gerçektende bende merak ettim kullanıla bilir. sabırsızlıkla bekliyorum.

 
Gönderildi : 21/07/2008 20:51

(@muratgok)
Gönderiler: 220
Reputable Member
 

arkadaşlar tarihi gecmiş bir konu ama bunula ilgili bir gelişme olmamıs bilgisi oln varmıdir acaba konunun nasıl yapıldığına dair.? 

 

tşk.

 
Gönderildi : 10/10/2008 14:00

(@serhatakinci)
Gönderiler: 4117
Famed Member
 

Kurulum için kullanılacak klasörlere, system dizinlerine ve registry anahtarlarına gerekli izinler verilirek yapılabilir. Ancak her program aynı mantıkta kurulmuyor malesef.

Mesela ABC programı kurulumu sırasında filemon, regmon gibi tool lar ile izleyip, hangi noktalarda yetki istediğini bulup, başka bir userda buralara yetki verip kurulum yapılabilir.

Ama bir hafta sonra BCD programını kurmak istediğimizde, tüm bu işlemleri baştan yapmak gerekecektir. Ayrıca bazı programların kurulumu/çalışması için ihtiyaç duyulan yetkiler, kullanıcı tarafından verilebilen yetkiler değildir. Administrators yada powerusers gruplarında bulunur ve tasarımsal bir durumdur.

 

 
Gönderildi : 10/10/2008 15:48

Sayfa 1 / 2
Paylaş: