Group Policy

One of the often forgotten about features of gpresult is that it can output reports as HTML format (in a similar format to Group Policy Modelling) as well as to the command line – simply use the /h switch followed by a path. This includes much more useful data including how long it took to apply various aspects of the policy.

In the example below we can see that Group Policy Infrastructure took much longer to apply than expected (normally only a second or two), you can then dig into the cause by clicking the View Log link to the right which pops out even more detail to dig through. In this case the cause of the slow policy application appeared to be old ADM files (Windows XP era) being included with the policy; deleting the files resolved the issue.

This entry is part 3 of 6 in the series 4 SSIDs 1 Secondary Academy

Now that we have the basics configured its time to setup the first SSID (shown here as OSA-WiFi). This SSID will be used for Windows computers that are domain joined, this could be desktop PCs with wireless adapters as well as laptops and tablet PCs with built in wireless.

To complete this section you will need a Windows Server with the Network Access Protection role installed on it as well as a valid SSL assigned to it (the SSL cert must be ‘in date’ as otherwise your clients won’t connect to the network). If you don’t have a valid SSL certificate issued by a 3rd party you can use this guide here which shows you how to use the Active Directory certificate services to provision your own –

One of the great things about using this kind of authentication in a domain environment is that you don’t need to manage individual passkeys for your clients (in a school it can be a massive time saver if you have a class set of 30 new laptops to roll out) as all the settings required to connect can be pushed down via Group Policy Object.

Network Access Protection Server

First to be setup is the Windows Network Access Protection Server; this server hosts a service called RADIUS which receives authentication requests from the HP MSM and then checks the credentials (in this case the fact that the computer wishing to connect is indeed a member of the Windows Active Directory Domain) against Active Directory and in turn allows/prevents the client from connecting to the network.


Now that we have the backend service together its time to get the HP MSM Controller to use the RADIUS/NAP server and present a SSID to the clients.

Group Policy Setup

As previously mentioned by using this Wireless authentication model you can easily pass out the settings to your domain joined Windows Computers without having to manually tap in a passkey on each machine. Ok so maybe it take a while to setup and maintain but in the long run shouldn’t we be nice to our technicians and get them doing something more important?

In the next part of this guide I’ll look at the setup of the Apple Mac wireless network as well as give you some pointers on how to get Bonjour packets to traverse between your Windows Wireless and Apple Network (great for the modern craze of Airplay).

Go into any school these days and it will be hard to avoid any shiny ‘iDevices’ and in support of that I have recently deployed AirServer by App Dynamic.

The installer is provided as an MSI although our retailer suggested a command line option to deploy and activate the software for all users of the PC; a very nice idea there is a much simpler method which involves a quick modification of the downloaded MSI using Orca. For the full guide take a look at the screenshot sequence below-

One point to note is that upon installation the installer will reach out to the AirServer website to perform product activation; as in most schools a web proxy will get in the way of this however if you allow unfiltered access to the authentication will go through without any issues.

Another point to note – make sure you have all the prerequisites installed on any machine targeted for AirServer installation. The deployment of these is outside the scope of this document however the easiest way I have found so far is to download the full iTunes installer, unzip it (with 7zip) and deploy the MSIs inside it separately.

In this guide I will show you how to create a deployment of Greenfoot 2.3 using Group Policy Software Deployment while ensuring that the software is available for all users of the computer and removing the unnecessary desktop and start menu shortcuts.

If you don’t feel like reading through the guide and you want to use the modifications listed above then just download the transform file (contained within a ZIP file) below.

  Greenfoot Transform (980 bytes, 1,454 hits)

First off a few things you will need..

  1. The Greenfoot Windows installer (its a MSI right out of the box which makes life easy) –
  2. The Orca tool MSI editor tool (part of the Windows 7 SDK) – a guide to installing it can be found here
  3. The Java Development Kit (JDK) pre installed on your PC (the deployment of this is outside the scope of this guide) –

The screen shot sequence below shows how to get everything setup.

When it comes to SCCM 2012 you have a powerful bit of software to deploy software updates and applications however all of this is worthless without the SCCM 2012 client which must first be installed.

This client comes as part of any task sequence that you configure however what if you have PCs that have been previously imaged or have an older version of the client?

In this case I prefer to fall back to good old GPO/MSI deployment; Microsoft does have an article on it in Technet however its far from descriptive so for a full guide on deploying the System 2012 Config Manager Client see the screen shot sequence below.

Lets imagine that for the past few years software has been deployed using Group Policy Software Installation and that a single server has been used to store the MSIs.

The only issue is you now want to move the MSIs to another server or even better are looking to move the MSIs to a DFS share.

The ovious option would be to remove and reassign the software packages pointing them at the new path; the issue here is that the software would then go and reinstall its self on all of your PCs!

A better option is to use ADSI edit to change the paths that already exist without having to reassign the software. The procedure in the screen shot sequence below uses the instructions found at this Microsoft KB –

PDF is quite possibly one of my favourite web technologies – if nothing else it is my #1 way to share files with others knowing that when they go to view/print them it will look precisely the same as it does on my PC.

The great thing about Adobe PDF reader is its very easy to fully customize the installation without having to use Orca.

In this guide I am looking to, deploy Adobe Reader 11 to all of my clients using group policy software deployment, remove older versions of reader, prevent auto update prompts, accept the EULA for my users, remove the desktop shortcut, make Adobe Reader the default PDF viewer and turn off Protected View (I find it causes more issues than it solves).

A few things you will need

  1. Adobe Reader deployment resources site (lots of good things to read!) –
  2. Adobe Customization Wizard –
  3. Adobe Reader Licence website (you need this to deploy) –

If you do not want to go through the Customization Wizard phase and are happy with the settings I will be using you can download the transform file from the ZIP file below.

  Adobe Reader 11 Transform (8.0 KiB, 2,272 hits)

So all thats left now is to follow the screen shots below and get Adobe Reader 11 out to your users!

Adobe Flash Update PromptAdobe Flash Player has to be one of the most valuable bits of software ever created, yes HTML5 is taking over for some things but all the same I don’t see Flash disappearing anytime soon.

As such its important to keep Flash updated in your Enterprise. The one pain I’m sure everyone has come across at some stage is your end users getting the prompt to update Flash themselves (see right).

So what I will show you how to accomplish in this guide is

  • Obtain and Deploy a MSI for Adobe Flash Player to 32 and 64bit PCs that use Internet Explorer
  • Make it so that your users do not get Flash update prompts

A few things you will need

  1. A read of the Adobe Flash Enterprise Deployment Guide –
  2. A licence to deploy Adobe Flash Player (its the only way to get at a MSI that will work) –
  3. Adobe Flash Tester (it will let you know if your deployment has worked or not) –

As part of the setup process you will need to copy a mms.cfg file to some locations on your PCs, to make life simple a sample mms.cfg is included in the ZIP file download below along with the paths to where the files need to be copied to (all is explained in the setup guide).

  MMS Config File (131 bytes, 2,009 hits)

32bit Windows – C:\WINDOWS\System32\Macromed\Flash\mms.cfg
64bit Windows – C:\Windows\SysWOW64\Macromed\Flash\mms.cfg

So lets get this ball rolling! For the steps on how to mash out Flash to your users follow the screen shot sequence below.

I’m sure if you have ever spent any time looking after PCs you will soon come accross Java asking for updates; in a managed enviroment you wouldn’t want your users to see this prompt and the simple fix is to deploy Java properly.

Before I go any further I would like to thank the creator of this article 2012/06/12/java-jre-deployment-via-group-policy/ which most of this article is based upon (with a few my world of IT tweaks).

A few things you will need

  1. A download of the Offline Installer for Java –
  2. The Orca tool MSI editor tool (part of the Windows 7 SDK) – a guide to installing it can be found here

Since there are too many modifications in Orca to be included in the screen shots I have listed them in the table below instead (everything is in the Property table).

After a few requests the transform file (pre created) is now available in the ZIP file below

  Java 7 Transform (943 bytes, 1,739 hits)

So now that you have everything you need just follow this screen shot series.

For a while now Skype have offered a MSI, a ADM template and a nifty little guide on Enterprise Deployment considerations but so far I haven’t found a decent guide which shows how to bring all of these components together to get Skype out there on your client PCs.

In this guide I will be looking to, deploy Skype 6.3 to my clients using GPO/MSI, remove the desktop shortcut, remove its ability to auto launch on login, restrict access to file transfers, put in proxy settings and prevent automated updates (among a few other things that can be done through GPO).

A few things you will need

  1. A read of the Enterprise Deployment guide (its from 2010 but is still valid) –
  2. The MSI – (updated May 2016)
  3. The ADM template (right click save target as) –
  4. The Orca tool MSI editor tool (part of the Windows 7 SDK) – a guide to installing it can be found here

After a few requests the transform file (pre created as specified above) is now available in the ZIP file below

  Skype 6 Transform (986 bytes, 2,889 hits)

The screen shot sequence below shows how to get everything rolling.