1

I'm looking for a way to deploy an MSI to a group of computers (contained within a single OU in AD) via Group Policy programmatically.

Assumptions:

  1. The network share which will contain the MSIs is created and has proper permissions
  2. the MSIs are copied to the share by hand prior to execution of the code
  3. The OU containing the target computers already exists

Is there a way to create the GPO and associated GP link programmatically?

Any language will do. C#, Powershell, C++, etc

Mike Marshall
  • 98
  • 2
  • 10
  • 3
    Why? Group policy has software installation policies that work perfectly well to deploy MSI files with a couple of clicks. – Appleoddity Jan 19 '18 at 03:23
  • 1
    It's part of a larger software validation/deployment workflow that we're trying to automate as many parts of as possible. I realize the manual steps are not onerous, but we're seeking a way to automate to create a more efficient, repeatable process. – Mike Marshall Jan 19 '18 at 16:35
  • What is the preferred triggering event for this software installation? Will the filename/path change for the msi? Out of curiosity, what is gained by using a GPO versus running a script that targets an OU? – sippybear Jan 24 '18 at 03:05
  • 1
    It sounds like you are trying to rewrite PDQDeploy. It would save you some time just to buy that solution instead of making all the mistakes they did over the last decade: https://www.pdq.com/pdq-deploy/ – HackSlash Jan 26 '18 at 17:24
  • @Appleoddity is spot on with the right answer to the question you asked. GPOs in AD already include the ability to deploy a MSI (and it properly handles updates). If that solution doesn't work for you, then I feel like there are additional requirements that you have accidentally forgotten to tell us about. If you let us know about those extra limitations or requirements, then you might get some higher quality answers that meet your actual needs. – Ruscal Jan 30 '18 at 20:04
  • For reference, here are MS instructions for what @Appleoddity and I are talking about: https://support.microsoft.com/en-us/help/816102/how-to-use-group-policy-to-remotely-install-software-in-windows-server – Ruscal Jan 30 '18 at 20:05
  • I do understand that the steps required via the policy management UIs are not terribly difficult. But again, my question is: Is there any way to automate this via code? I haven't left out any details. This is a part of a larger deployment process we're refining and we'd love for this step to be automated. – Mike Marshall Jan 30 '18 at 20:17
  • My apologies, I misread your statement of "programmatically create GPO" as "programmatically recreate functions already existing in GPO". See answer proposal. – Ruscal Jan 30 '18 at 22:56

1 Answers1

1

If you are looking to programmatically work with GP objects, then you will want to look at Microsoft's IGPMGPO interface.

The catch here is you can't create new policy settings within the GPO, but you can modify the GPO itself (copy GPOs, enable/disable setting groups, set WMI filters, modify ACLs, etc). So if you create a GPO that will do the install by hand, you could use this interface to modify your permissions or filters to expand the targeting. But to my knowledge there isn't an available interface for modifying the properties of settings within a GPO.

At this point you're getting into an area of programming that I don't work with, so I can't offer any of my own examples. But the link takes you to the MSDN reference material, and I figure anyone confident enough to say "any language will do" is probably capable of reading the docs and getting an idea of it.

But, for someone else's work, I found this on MSDN Social (near top of Google when searching IGPMGPO)

EDIT :: I just had a co-worker point out that the GP Objects are just collections (folders) of files written to \\domain\SYSVOL\domain\Policies\GUID and that you could, if you wanted to, use the interface above to fill in that path then write any property changes directly to the GPO underlying storage. At the end you'd go back to the above interface and toggle a setting (computer enable/disable, for example) to update the version stamp in the database and cause the new settings to be read from storage and pushed down. I've never done this and he emphasized the "could, but I wouldn't" aspect.

Ruscal
  • 1,223
  • 6
  • 14