• Home
• About
• Advertise
• Contact
• Search

Using restricted groups in Active Directory

by Mats Hellman on 21.Oct, 2009 under Active Directory, Group Policy, Windows

Using restricted groups is something very simple and still for many very confusing. Using restricted groups you can delegate administration or other roles to certain groups without giving these groups administrative rights to your Active Directory.

As an example, let’s say you have a helpdesk working in your company. For them to work as efficiently as possible they might need to login as Administrators to a client computer to fix various problems. Sometimes (read most times) you don’t want your helpdesk having Domain level Administrative rights because they might, even unknowingly, mess something up in your production domain. To deal with this we use Restricted groups. Restricted groups are provided by Active Directory group policies, they provide us a way to centrally drop in certain Active directory groups to computers local groups, yes computer local groups. They don’t have to administrative groups, they might be anything from backup users to Power Users.

(more…)

6 comments

Upgrade to / install Adobe Acrobat Reader 9 centrally using Active Directory group policies.

by Mats Hellman on 20.Aug, 2008 under Windows

In January 2008 I published an article Installing Adobe Acrobat Reader centrally with Active Directory group policies. The time has come to upgrade to Acrobat Reader 9 now. So I’ll be taking you through some simple steps today to get that part done.
If you want to push out Adobe Reader for the first time I suggest you follow the old guide located at http://www.nixadmins.net/node/317 and substitute everything Acrobat 8 related with 9.
What you need to complete this how-to is the Adobe Customization Wizard 9 and Acrobat Reader 9.

Download links:
Adobe customization wizard 9:
http://www.adobe.com/support/downloads/thankyou.jsp?ftpID=3993&fileID=3727
Adobe Reader 9
http://www.adobe.com/products/acrobat/readstep2.html?promoid=BUIGO

Getting the MSI package

As you might have noticed the Acrobat Reader 9 is a .exe file. It does include a MSI we just need to get it out of there.
Run the install from a command prompt or a run field.

You will find your fresh adobe packages in
Windows XP
%Userprofile%\Local Settings\Application Data\Adobe\Reader 9.0\Setup Files\READER9
Windows Vista
%userprofile%\AppData\Local\Adobe\Reader 9.0\Setup Files\READER9
Copy out all the files in that directory. I copied them to the desktop.

Let’s get on to the customization wizard.

Modifying the Adobe reader 9 installation package

Now that we have the MSI package we can start modifying it. So start up Adobe Customization Wizard and open your fresh MSI and let’s get started.

Now you should read and understand the settings in the wizard. And also read the End user license agreement (EULA). If you select not to show it YOU agree with it for your whole organization.

The following are the settings I changed.

• Installation options
  • Make Adobe Acrobat reader the default viewer if Acrobat and Reader are installed. I set this because there are some new features in reader 9 and our organization still uses Acrobat 8.
  • Enable optimization
  • Enable caching of installer files on local harddrive
  • Run installation silently, we don’t want the user to participate at all in the process.
  • Suppress reboot, users reboot often enough and most our computers are set to install updates 3 A.M so they will reboot soon enough.
• Shortcuts
  • I left Programs->Adobe Reader 9 but removed the desktop icon. I see no reason at all in having it clutter the desktop. Most I’d guess over 99% of users click the file to open not start up Adobe Acrobat reader and then open the file.
• EULA and document status
  • Suppress display of End User license agreement. I really don’t want the users to see it. Bu be sure to read it yourself BEFORE you accept it.
  • Hide document message bar
• Online and Acrobat.com features
  • Disable all updates, I want to see to the updates myself, to keep application compatibility.
  • Load trusted root certificates from adobe, check Enable and install silently
  • In adobe reader, disable Help purchase of Adobe Acrobat. All our software is bought by the IT apartment, not single users.
  • Disable product improvement program. I really hate theese.
  • Disable viewing of PDF with ads for Adobe PDF
  • Display in browser, enable
  • Disable all acrobat.com access including initiation and participation.

That’s it, now save the file and copy all the files to the fileshare you use to deploy software, in my case \\server\userapps\Adobe Reader 9. On the next page we continue with assigning the policy to the computers in your organization.

Working with the policy

Start up your Group policy management console and select your Software installation policy. Select edit, go to Computer Configuration\Software Settings\Software Installation.

Right click and select new package. Browse to the folder where you dropped the MSI and INI file. Select the file and choose open.

At the deploy software screen select Advanced to check the following.

At the Upgrades tab you should see Upgrade Adobe Reader 8.?.?.

Checking the old Acrobat package

This is not generally something you have to do but I like to check and double check before I expect results. So select the old acrobat package and bring up its properties.
Go to the tab Upgrades where you should see the Adobe Reader 9 package.
That’s it, now you can push this out to your test environment and see that everything is working like it should.

Command line tools

Group policies are queried over a period of 30-180 minutes. This is to ensure not all computers query at the same time. So to speed it up you can use.

To check which policies are applied to a user/computer you can use

This lists all the policies applied to the computer you are at and the user logged in.

Final words

Working with Active directory group policies is a really straight forward process. If something doesn’t work check your event viewer for errors. I’ve even seen out of date network card drivers halt the whole group policy deployment.
If you need help with this comment here and I’ll try to get you trough the process.
I take no responsibility if this doesn’t work or setting this up makes a mess at your organization. This article is written only to help on the way and you should know what you are doing, not just “copy & paste”.

22 comments

Advertising

Recent Posts

• Configuration Manager 2012 installation trouble
• Install Software Updates hang on Downloading update
• SCCM 2007 management point fails to install
• Setting up Windows Server DHCP for SCCM2007
• The tale of the broken hard drive

Archives

January 2012

December 2011

July 2011

May 2011

April 2011

March 2011

February 2011

January 2011

December 2010

November 2010

September 2010

May 2010

Login

Register

Log in

Browse by tags

Acrobat Active Directory Apache Apple ASP.NET CentOS Defragmentation Drivers Free Software Group policy Install iPad Linux Microsoft MSI OSX Redhat SCCM Security Service Pack 3 SSL VPN SSTP VPN Virtual PC VPN Windows 7 Windows Deployment Services Windows Server Windows Vista Windows XP WinPE

Ads

Ads