Upgrade to / install Adobe Acrobat Reader 9 centrally using Active Directory group policies.
by Mats Hellman on 20.Aug, 2008 under Windows
In January 2008 I published an article Installing Adobe Acrobat Reader centrally with Active Directory group policies. The time has come to upgrade to Acrobat Reader 9 now. So I’ll be taking you through some simple steps today to get that part done.
If you want to push out Adobe Reader for the first time I suggest you follow the old guide located at http://www.nixadmins.net/node/317 and substitute everything Acrobat 8 related with 9.
What you need to complete this how-to is the Adobe Customization Wizard 9 and Acrobat Reader 9.
Download links:
Adobe customization wizard 9:
http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=3993&fileID=3727
Adobe Reader 9
http://www.adobe.com/products/acrobat/readstep2.html?promoid=BUIGO
Getting the MSI package
As you might have noticed the Acrobat Reader 9 is a .exe file. It does include a MSI we just need to get it out of there.
Run the install from a command prompt or a run field.
You will find your fresh adobe packages in
Windows XP
%Userprofile%\Local Settings\Application Data\Adobe\Reader 9.0\Setup Files\READER9
Windows Vista
%userprofile%\AppData\Local\Adobe\Reader 9.0\Setup Files\READER9
Copy out all the files in that directory. I copied them to the desktop.
Let’s get on to the customization wizard.
Modifying the Adobe reader 9 installation package
Now that we have the MSI package we can start modifying it. So start up Adobe Customization Wizard and open your fresh MSI and let’s get started.
Now you should read and understand the settings in the wizard. And also read the End user license agreement (EULA). If you select not to show it YOU agree with it for your whole organization.
The following are the settings I changed.
- Installation options
- Make Adobe Acrobat reader the default viewer if Acrobat and Reader are installed. I set this because there are some new features in reader 9 and our organization still uses Acrobat 8.
- Enable optimization
- Enable caching of installer files on local harddrive
- Run installation silently, we don’t want the user to participate at all in the process.
- Suppress reboot, users reboot often enough and most our computers are set to install updates 3 A.M so they will reboot soon enough.
- Shortcuts
- I left Programs->Adobe Reader 9 but removed the desktop icon. I see no reason at all in having it clutter the desktop. Most I’d guess over 99% of users click the file to open not start up Adobe Acrobat reader and then open the file.
- EULA and document status
- Suppress display of End User license agreement. I really don’t want the users to see it. Bu be sure to read it yourself BEFORE you accept it.
- Hide document message bar
- Online and Acrobat.com features
- Disable all updates, I want to see to the updates myself, to keep application compatibility.
- Load trusted root certificates from adobe, check Enable and install silently
- In adobe reader, disable Help purchase of Adobe Acrobat. All our software is bought by the IT apartment, not single users.
- Disable product improvement program. I really hate theese.
- Disable viewing of PDF with ads for Adobe PDF
- Display in browser, enable
- Disable all acrobat.com access including initiation and participation.
That’s it, now save the file and copy all the files to the fileshare you use to deploy software, in my case \\server\userapps\Adobe Reader 9. On the next page we continue with assigning the policy to the computers in your organization.
Working with the policy
Start up your Group policy management console and select your Software installation policy. Select edit, go to Computer Configuration\Software Settings\Software Installation.
Right click and select new package. Browse to the folder where you dropped the MSI and INI file. Select the file and choose open.
At the deploy software screen select Advanced to check the following.
At the Upgrades tab you should see Upgrade Adobe Reader 8.?.?.
Checking the old Acrobat package
This is not generally something you have to do but I like to check and double check before I expect results. So select the old acrobat package and bring up its properties.
Go to the tab Upgrades where you should see the Adobe Reader 9 package.
That’s it, now you can push this out to your test environment and see that everything is working like it should.
Command line tools
Group policies are queried over a period of 30-180 minutes. This is to ensure not all computers query at the same time. So to speed it up you can use.
To check which policies are applied to a user/computer you can use
This lists all the policies applied to the computer you are at and the user logged in.
Final words
Working with Active directory group policies is a really straight forward process. If something doesn’t work check your event viewer for errors. I’ve even seen out of date network card drivers halt the whole group policy deployment.
If you need help with this comment here and I’ll try to get you trough the process.
I take no responsibility if this doesn’t work or setting this up makes a mess at your organization. This article is written only to help on the way and you should know what you are doing, not just “copy & paste”.
5 Free tools for a Windows Systems administrator
by Mats Hellman on 14.Aug, 2008 under Windows
This is a collection of tools I allways keep on my management desktops, some of you may dissagre and I hope you do to raise some discussion and maybe even show me some new or better tools to get the same job done.
I tried to collect the tools I install first on any of my new computers to make my life easier. They are not in any specific order.
Sysinternals
Sysinternals have supplied us whith so many great tools and the ones I install ASAP are just a few. To see the full list go to the Sysinternals website and check them out.
Process explorer
This program can do anything the Windows taskmanager can and even more. It has helped me find rougue programs and problems more than once I can tell you.
You can see the files a program has open, or which progam is holding on to a directory you can’t delete. This is something every systems administrator should have installed on their computer
Download from http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Process monitor
Quote from the sysinternals website
Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.
That should sum it up for you.
Download from http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
Autoruns
Ever noticed that a preinstalled computer has hundreds of programs running in the background. All of them hogging your precius recources, and all of them slowing down the computerstartup due to autorun. I’m talking about Adobe, Install shield, IBM/Lenovo programs and so on. Mostly useless programs that tend to take alot of the performance in your brand spanking new computer. This is the tool I fire up to begin with. Getting all the usless programs out of autorun and giving myself the choice to start them when and IF I need them.
This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond the MSConfig utility bundled with Windows Me and XP.
Download from http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Tcpview
This progam shows you a listing of all TCP and UDP endpoints on your system.
TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. On Windows Server 2008, Vista, NT, 2000 and XP TCPView also reports the name of the process that owns the endpoint. TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality.
Download from http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx
Microsoft
Theese programs or should we say packs are essential for me administering my systems from my management workstation.
Windows Server 2003 adminpak
Includes all the tools included in Windows Server 2003. You can administer your Active directory users, DNS servers, DFS(Distributed filesystem) from your own management station. A must have for me
Download from http://www.microsoft.com/downloads/details.aspx?familyid=86B71A4F-4122-44AF-BE79-3F101E533D95&displaylang=en
Virtual PC 2007
A free virtual environment on your PC. This allows you to install servers or desktops on your own management pc to use for testing, debugging etc. I even keep some Linux installations in Virtual PC.
Download from http://www.microsoft.com/windows/downloads/virtualpc/default.mspx
Find stale / dead / removed computers or users from Active Directory using oldcmp from JoeWare.net
by Mats Hellman on 12.Aug, 2008 under Windows
I noticed our Active Directory domain and Windows Server Update Services had a small difference of about 200 workstations.
The forgotten computers
Naive as I was I never thought that we could “forget” 200 workstations in our domain. So I had to find a tool to get the job done. Luckily I found oldcmp at Joeware.net. This small 222kb tool promised to do what I needed done and I could even get a report in HTML, CSV or DHTML.
Using OldCmp
The use of this program is more than simple, but beware, don’t use delete unless you really now the computer accounts are dead.
The program has a few safeguards to keep you from doing something really bad, so I won’t show you anything other here than how to get a report from your Active Directory. If you want to delete or disable computers read the help.
Listing computers that haven’t changed their password in 90 days
OldCmp V01.05.00cpp Joe Richards (joe@joeware.net) December 2004
Processed at dc1.domain.local
Default Naming Context: DC=domain,DC=local
Search completed…
Creating Report File: oldcmp.20080812-233442.htm
Command completed successfully
Getting some help
– The above command lists the help, I won’t paste it here since it is quite long. You should read it anyway because it has more than a few good examples of the usage –
Listing computers that haven’t changed their password for more than 120 days
OldCmp V01.05.00cpp Joe Richards (joe@joeware.net) December 2004
Processed at dc1.domain.local
Default Naming Context: DC=domain,DC=local
Search completed…
Creating Report File: oldcmp.20080812-234028.htm
Command completed successfully
I settled for computer that haven’t changed their password for more than 120 days, there were still a few computers in use, but we quickly sorted them out and could now disable almost 200 computer accounts from our Active Directory.
Users instead of computers
You can also check dead users by giving the program the user switch.
The above obviously checks for users who haven’t changed their password in more than 120 days.
Also check out the other magnificent tools you can find at Joeware.net.
