Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


November 2007

Automating Office 2007 Deployment

Economical and practical methods for deploying the latest version of Office
From the November 2007 Edition
of Windows IT Pro
Dan Holme
Feature
InstantDoc #97016
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Scripting Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
SideBar    Alternative Office 2007 Deployment Methods

Download the Code Here

The Log
The script logs the success or failure of the setup.exe command after the command is executed on each system. You must create a log file. The script is coded to work with a Microsoft Excel worksheet (Excel 97–2003 .xls format) as the log file, although you can change the script to work with a log file in the form of a Microsoft Access database (.mdb), Microsoft SQL Server database, or Office 2007 format database (.xlsx or .accdb). If you create an Excel worksheet, you’ll want to create column labels in the first row that match the labels defined in the script (i.e., ComputerName, Action, Status, Date, Notes). If you rename the worksheet from the Excel default name, Sheet1, remember that you must change the sTable variable in the script. Save the script to a folder to which Authenticated Users have read, execute, and write permission, and configure the variable sFile to point to the database.

The Groups
You can use the log to audit the success and failure of setup.exe, but it’s also handy to be able to easily monitor the machines on which Office should be installed, those for which setup.exe succeeded, and those that encountered errors. To do so, leverage Active Directory (AD) as your database and create the following three global security groups in AD:

  • CCM_Office 2007 Deploy: This group will contain the computers to which Office 2007 will be deployed.
  • APP_Office 2007: This group will contain computers on which Office 2007 has been successfully installed.
  • ALERT_Office 2007 Deploy: This group will be used to flag computers on which Office 2007 deployment failed. You can then monitor this group’s membership to determine which systems might need support.

The benefit of using AD as a database is that doing so makes it easy to manage change using group memberships. Computers in the CCM_Office 2007 Deploy group (CCM for Change and Configuration Management) will run the script using the methods described below. When the script succeeds, it moves the computer into the APP_Office 2007 group. If the script fails, it moves the computer into the ALERT_Office 2007 Deploy group. With either success or failure, the computer is removed from the CCM group, so that the script doesn’t run repeatedly.

For the script to move the computer between groups, you must delegate these groups correctly. These groups require the Self Allow Write Members permission. With this permission, the special identity Self must be allowed to modify the Members property. A user (or computer) can add or remove itself from a group but can’t add or remove other members. You can configure this access control entry (ACE) in the Security Properties dialog box of each group or place these groups in an organizational unit (OU) delegated with the Allow Self Modify Members ACE.

This ACE can be delegated on the OU. To do so, open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in and select Advanced Features from the View menu. Then, right-click the OU containing the three groups and select Properties. Now, click Advanced under the Security tab. Click Add and enter SELF for the User or Group. Then click OK. In the Permission Settings dialog box, click the Property tab and select Group Objects from the drop-down menu. Now select the Allow check box for the Members property.

Group Policy Startup Script
Although GPSI doesn’t support Office 2007’s setup.exe command, startup scripts can execute any command you want to run. Startup scripts run locally in the context of the System identity, which provides sufficient access to run setup .exe successfully.

The Microsoft article “Use Group Policy to assign computer startup scripts for 2007 Office deployment” (technet2.microsoft.com/Office/en-us/library/a57c8446-b959-4025-a866-b690ddcaa66d1033.mspx) describes how to use startup scripts for Office 2007 deployment. Although the article is strong on concepts and on step-by-step instructions for creating and assigning startup scripts, the actual script it proposes is weak. Our script is much more robust.

There are two things to keep in mind if you decide to use startup scripts to deploy software.The first is the length of time it takes to perform the installation. Startup-script processing times out after 10 minutes by default, so you’ll need to match the script timeout Group Policy Object (GPO) setting located under Computer Configuration Administrative Templates\System Scripts\Maximum wait time for Group Policy scripts with the maximum time (in seconds) that’s required to install Office. Determine the time through testing, but 15 to 20 minutes (900 to 1200 seconds) should be enough. I recommend configuring the expanded script timeout in the same GPO that you use to deploy Office, so that when the GPO no longer applies to a computer, its script timeout will return to the default or to another setting configured by other custom GPOs.

The other thing you must keep in mind when using startup scripts is how it will impact your end users. Startup scripts will run at each system startup, so you don’t want to be running setup.exe every time a client computer is booted. Setup won’t reinstall Office—it will detect the existing installation successfully— but it will still take time to process. Therefore, you want to configure your startup script to verify whether Office 2007 already exists on the system prior to running setup.exe. If Office 2007 has already been installed, the script will exit without running setup.exe.

There are several ways to configure your startup script to verify whether Office is already on a system. One way is to read the registry key that displays Office 2007 in the Add/ Remove Programs list. If it’s there, Office 2007 is installed. Another method is to create your own registry entry to track the successful installation of Office 2007. I’m a big fan of tagging systems for CCM. You can also create a “flag file” on the hard disk. Many systems administrators use this approach to tag a system. An empty text file is created with a specific name such as C:\OfficeDeployed.txt. A script looks for this file to determine whether the script should run. I prefer to use a registry change rather than the flag-file method, since disk reads are more “expensive” than registry reads from a processing perspective, and there’s a risk of the file being deleted from the disk.

Finally, you can use a security group to deploy Office 2007. To do so, create a GPO called Office 2007 Deploy. This GPO will configure the startup script, which will install Office 2007. Edit the GPO Startup Script policy settings to run your script: The Script Name should be cscript .exe, and the Script Parameters should be the full path to your script in the Office network installation point, as Figure 1 shows. Try to avoid using spaces in the pathname or filename.

After you’ve created the Office 2007 Deploy GPO with the startup script that installs Office 2007, filter the GPO so that it applies to only the CCM_Office 2007 Deploy group, as Figure 2 shows. Don’t forget to remove Authenticated Users from the filter.

Any computer that’s in the CCM_Office 2007 Deploy group will run the startup script and install Office 2007. Now here comes the creative part. Because the startup script includes code that removes the computer from the group, the startup script will run only one time on that computer. Also, if Office installs successfully, the computer will be moved to the APP_Office 2007 group. You can use that group to monitor and report which computers have Office 2007. If Office installation fails for some reason, the computer will be added to the ALERT_Office 2007 Deploy group, which acts as a “red flag” for computers that should be examined to determine why Office installation failed.

Wrapping Up
We’ve created a script that acts as a “build-ityourself” SMS or Systems Center Configuration Manager by executing an action, logging the results, and ensuring the action doesn’t happen again. We’ve also looked at how to deploy the script by using Group Policy startup scripts. For more information about other Office 2007 deployment methods, see the Web-exclusive sidebar “Alternative Office 2007 Deployment Methods,” InstantDoc ID 97263. The approach I’ve laid out can be used for several systems management tasks in addition to deployment of Office 2007.

End of Article

   Previous  1  [2]  Next  


Reader Comments
Where is the link to the code? I don't see it it the top of the article

vcp2522 November 04, 2007 (Article Rating: )

Where is the Code ????

bsmith1 November 07, 2007 (Article Rating: )

This is a great article. It would be helpful if the code was posted though.

vcp2522 November 07, 2007 (Article Rating: )

Great article, but could you post the code? Thanks.

dlabelle November 07, 2007 (Article Rating: )

Hello Readers,
You should see the link for the code at top of the article, just beneath the sidebar link--there's a blue button that says "Download the Code Here."

bkwin November 07, 2007 (Article Rating: )

Is the link to the code available to monthly subscribers? I do not see any blue button under the sidebar link - thank you

luke33 November 12, 2007 (Article Rating: )

The code is available to subscribers. But note that you must be logged on to see the blue Download the Code Here button.

Amy Eisenberg November 14, 2007 (Article Rating: )

Where do you get the offfice service pack 1 .msp files? The updates folder only takes .msp file updates and the service pack 1 only came as an .exe file. I tried putting the service pack 1 .exe file in the Updates folder of the network installation point, but it didn't run during the Office 2007 install.

grusmall1 December 14, 2007 (Article Rating: )

Where is the code? I'm a subscriber of the print issue of Windows IT-Pro and although i'm logged in i have no chance to download the code??? Why? Where is here the service? The article alone is not usefull, i need also the code to test the things!
thanks
arnold

schmidarnold January 06, 2008 (Article Rating: )

Readers who can't download the code: I've asked our customer service to contact you to help resolve the problem, since I'm not sure whether it's related to your access or is a bug. We'll work to resolve it ASAP. Thanks for letting us know!

AnneG_editor January 07, 2008 (Article Rating: )

 See More Comments  1   2 

You must log on before posting a comment.

If you don't have a username & password, please register now.




Learning Path For more information about deploying Office 2007
"Customizing and Deploying Office 2007"

"The Group Policy Route to Office Deployment and Management"

"Use Group Policy Software Installation to deploy the 2007 Office system"
Top Viewed ArticlesView all articles
Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...

IE 8.0 and Chrome Could Enable Next-Gen Web Apps—Unless Your ISP's Bandwidth Cap Gets in the Way

Both browsers are being positioned as the core system application that will enable the next generation of web apps--however, ISP usage caps could throw a major monkey wrench at web-based application delivery. ...

Escape From Yesterworld

Kevin points you to the funniest SQL Server website ever! ...
Related Articles Managing Microsoft Office 2007 with Group Policy
Related Events Check out our list of Free Email Newsletters!
Scripting eBooks Keeping Your Business Safe from Attack: Encryption and Certificate Services

Best Practices for Managing Linux and UNIX Servers

Building an Effective Reporting System
Related Scripting Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

IT Connections
Dive into the new Microsoft platforms and products you implement and support with the experts from Microsoft, TechNet Magazine, Windows ITPro and industry gurus. There are 70+ sessions and interactive panels with networking opportunities.

Attention User Group Leaders...
Announcing the eNews Generator—a FREE HTML e-newsletter builder for user group leaders. Build your HTML and text e-newsletters in minutes and add Windows IT Pro & SQL Server Mag articles alongside your own message!.

Master SharePoint with 3 eLearning Seminars
Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!

Get SQL Server 2008 at WinConnections
Don’t miss Microsoft Exchange and Windows Connections conferences, the premier events for Microsoft IT Professionals in Las Vegas, November 10-13. Every attendee will receive a copy of SQL Server 2008 Standard Edition with one CAL.



Interested in Email Encryption?
Read about the advantages of identity-based encryption in this free report.

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Virtualization Congress Oct. 14-16 in London
Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technical Resources Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing