Group Policy

Step-by-step guide to install Configuration Manager 2012 SP1 R2

~ Vitalie Ciobanu

Steps to perform on primary domain controller (DC)

Extend AD schema

  1. Log in using a domain admin account
  2. Insert ConfigMgr 2012 SP1 DVD
  3. Open a command prompt window
  4. Type D:\SMSSETUP\BIN\X64\EXTADSCH.EXE and press Enter. Wait for a confirmation message in CMD window and then check for the existence of ExtADSch.log file in the root of C: partition on the DC. Open the file and see if “Successfully extended the Active Directory schema.” message is present.

Assign permission to System OU in AD

  1. Open Active Directory Users and Computers
  2. From the View menu select Advanced Features
  3. Right click on the System container and select Properties
  4. Go to Security tab and click Advanced
  5. Click Add in the Permission tab
  6. Select Object Types and check the box for Computers. Click OK
  7. In the Enter the object name to select field enter the name of the ConfigMgr server and click Check Names
  8. After the server name is recognized, click Ok
  9. In the Permission Entry for System window check the box for Full control and select This object and all descendant objects in the Apply to list box. Click OK three times to close all open windows

Create service accounts

  1. Open ADUC and create the following 3 service accounts (select complex password for each account):
    1. SQL Server Service Accountsqlsrvacct
    2. ConfigMgr Client Push Service Accountcfgmgrclpush
    3. ConfigMgr Network Access Service Accountcfgmgrnetacct
  2. Make cfgmgrclpush account member of Domain Admins group or Workstation Admins group if this exists.

Create GPO to add security groups to local Administrators group on servers and workstations

  1. Server local admins
  2. Workstation local admins

Steps to perform on Configuration Manager server

Install Report Viewer 2008 SP1 Redistributable

  1. Login with a domain admin account, preferably not Administrator.
  2. Download and install Report Viewer 2008 SP1 Redistributable from http://www.microsoft.com/downloads/en/details.aspx?familyid=BB196D5D-76C2-4A0E-9458-267D22B6AAC6&displaylang=en

Add Server Features

  1. Open Server Manager and add the following features:
    1. NET Framework 3.5.1 Features, BITS, Group Policy Management and Remote Differential Compression
    2. From Web Server (IIS) select WebDAV Publishing, ASP.NET, ASP, Windows Authentication, Dynamic Content Compression and IIS 6 WMI Compatibility

Configure WebDAV

  1. Open Internet Information Services (IIS) Manager
  2. Expand server name and select Default Web Site
  3. Double click on the WebDAV Authoring Rules and select Enable WebDAV from the right side panel
  4. From the right side, click Add Authoring Rule
  5. In the Add Authoring Rule window select the checkboxes for: All Content, All Users, Read and click OK
  6. From the right side, click WebDAV Settings
  7. Modify the following components as follows and click Apply when finished:
    1. Allow anonymous property queries – True
    2. Allow custom properties – False
    3. Allow property queries with infinite depth – True
    4. Allow hidden files to be listed – True

Add SQL Server ports exceptions

  1. Open Windows Firewall with Advanced Security
  2. Right click Inbound Rules and select New rule
  3. In the New Inbound Rule Wizard window make the following modifications:
    1. Rule Type – Port
    2. Protocol and Ports – TCP, Specific local ports: 1433
    3. Action – Allow the connection
    4. Profile – no modification
    5. Name – SQL TCP 1433
  4. Repeat step 3 to add another inbound rule with the following settings:
    1. Rule Type – Port
    2. Protocol and Ports – TCP, Specific local ports: 4022
    3. Action – Allow the connection
    4. Profile – no modification
    5. Name – SQL TCP 4022

Install SQL Server 2012 SP1

  1. Insert SQL Server 2012 SP1 DVD
  2. Select New SQL Server stand-alone installation
  3. Select features: Database Engine Services, Reporting Services – Native, Client Tools Connectivity, Management Tools, Integration Services (optional)
  4. Select default instance
  5. Add sqlsrvacct domain account to the local Administrators group on the ConfigMgr server
  6. Use the SQL service account for all SQL Server services
  7. Set SQL Server Browser to Automatic
  8. Add current user as the SQL Administrator (preferably not domain Administrator account)
  9. After installation, open Management Studio and configure maximum memory allocation.

Install Windows Deployment Services

  1. Open Server Manager and install the Windows Deployment Services role using the default settings

Install Windows Server Update Services

  1. Open Server Manager and select the Windows Server Update Services role. Click Next twice and then Install
  2. Install WSUS using the following settings:
    1. Select Update Source – select a disk with more disk space
    2. Database options – Use an existing database server on this computer
    3. Web Site Selection – Create a Windows Server Update Services 3.0 SP2 Web Site (http://servername:8530)
  3. When installation is finished, close the wizard by pressing Cancel button
  4. Create a Group Policy Object for windows update settings.
  5. If you have Windows Server 2008 R2, install KB2720211
  6. If you have Windows Server 2008 R2, install KB2734608

Install Windows Assessment and Deployment Kit (ADK) for Windows 8.1

  1. Download Windows Assessment and Deployment Kit (Windows ADK) for Windows 8.1 from Microsoft website http://www.microsoft.com/en-us/download/details.aspx?id=39982
  2. Select to install only the following:
    1. Deployment Tools
    2. Windows PE
    3. USMT

Install Configuration Manager 2012 SP1

  1. Insert Configuration Manager 2012 SP1 DVD
  2. Click Install link Configuration Manager 2012 SP1 Setup Wizard window.
  3. Install ConfigMgr and make only the following modifications:
    1. Available Setup Options – Install a Configuration Manager site server
    2. Updated Prerequisite Components – Check for updates and download…
    3. Site and Installation Settings – enter a Site code and Site name

Install Configuration Manager 2012 R2

  1. Insert Configuration Manager 2012 R2 CD
  2. Click Configuration Manager 2012 R2 link from the Install section
  3. Install the R2 add-on accepting the default settings in the wizard

Configure Configuration Manager as needed

Deploy Configuration Manager 2012 R2 hotfix to Clients using your preferred method and settings.

Using Group Policy to deploy Office 2007

~ Vitalie Ciobanu

Last week I tested how Office 2007 installs via Group Policy.

I created a software installation package and it worked successful; except the fact that it is not fully installed when a user logs on and that it will not upgrade (or remove) the existing version of Office even if I added the Office 2003 package that should be upgraded. After the Office 2007 installs, the users will have both version of Office – 2007 and 2003.

This is because Microsoft changed a little the way Office 2007 installs; and here they explain why they did this. Bellow are some considerations from that article:

  • Difficulties with scheduling installation, consistently managing network bandwidth, and providing feedback on the status of the installation.
  • Limited ability to customize features or user settings before installation of the 2007 Office system. You cannot use Office Customization Tool to create an .msp file. All customizations have to be made in the Config.xml file.

So, the best way to install Office 2007 in a medium organization is to use System Center Essentials or Configuration Manager in a large organization. Using these tools you can know exactly what features to install, when to install and how to install or upgrade Office 2007 suite.

Group Policy – User Configuration Logon script

~ Vitalie Ciobanu

Something I have learned the other day…

I had to install a small .msi using Group Policy, using a logon script. As it was a small package and not very important, I used a User Configuration Logon script.I created and linked a new GPO to a specific OU with some users (with no admin privileges) and client computers only. The script run well and the package installed very quickly on all machines in that OU.

The problem was that I have another OU with member servers and at the moment I logged on to one server using a normal user account, I had the package installed right after first logon. This is because I configured User Configuration logon script instead of Computer Configuration startup script.

What I’ve learned? That I should plan more careful even the installation of a small package.