How to use Windows Installer and Group Policy to deploy the VPModule.msi in an Active Directory domain

The VPModule.msi file installs an HttpModule that is named Microsoft.Web.ValidatePathModule.dll on target computers. The installation also updates the Machine.config file or files with a new HttpModule entry. For additional information about VPModule.msi, click the following article number to view the article in the Microsoft Knowledge Base: With VPModule.msi, you can install Microsoft.Web.ValidatePathModule.dll on computers that are running ASP.NET. If you are managing computers in an Active Directory directory service environment, you can use the Software Installation and Maintenance feature of Group Policy to deploy the VPModule.msi on target computers. This article describes how to use Windows Installer and Group Policy to install the VPModule.msi on target computers in a Microsoft Windows 2000 Server or Microsoft Windows Server 2003 Active Directory domain. This article assumes that you already know which computers are running ASP.NET in your environment.

Group Policy is the recommended method for managing the deployment of software for customers who are not already using a corporate update management solution such as Systems Management Server (SMS) 2003 or Software Update Services (SUS). For more information about Group Policy, visit the following Microsoft Web site:

Use Group Policy to assign the VPModule.msi

To use Group Policy to assign the VPModule.msi, follow these steps:

1. Create a distribution point.
2. Create a Group Policy object (GPO) for VPModule.msi deployments.
3. Deploy the VPModule.msi file from the shared distribution folder as machine-assigned.
4. If you want to, deploy the VPModule.msi to specific security groups.

Target computers, or computers that are to receive the VPModule.msi, must be joined to the same domain as the server where the Windows Installer (.msi) file resides. After you assign the package, Windows Installer automatically installs the VPModule.msi the next time users who are connected to the network start their computers. We recommend that you inspect the properties of each computer to make sure that the VPModule.msi update has completed on the destination computer. You might need to restart a computer more than one time to complete the update.

Only a network administrator or someone who is logged on to a local computer as an administrator can remove the assigned software (that is, the VPModule.msi) from the destination computer. The procedures identified in this section are explained in detail in the following sections.

Create a distribution point

To assign software, you must create a distribution point on the server. To create a distribution point, follow these steps:

1. Log on to the server computer as an administrator.
2. Create a shared network folder where you are going to put the VPModule.msi file that you want to distribute. This folder is the distribution point for the software package.
3. Set permissions on the shared network folder to permit access to the distribution package. Give access permissions to the following:
   • Administrators
   • Authenticated users
   • Domain users
   Optionally, you can configure Distributed File System (DFS) for the distribution point. We recommended that you do this because it provides you with more flexibility. It provides more flexibility by ensuring uninterrupted availability of the distribution point in case you have to replace the server. In addition, with DFS, it is easier to have distribution points in multiple sites. For more information about DFS, visit the following Microsoft Web site:
   http://go.microsoft.com/fwlink/?linkid=34229 (http://go.microsoft.com/fwlink/?linkid=34229)
4. Copy the VPModule.msi file to the distribution point.

Create a GPO for software deployment

You can create a GPO and link the GPO to any Active Directory container that contains the target computers to which you want to deploy the VPModule.msi. For example, an Active Directory container may be a site, a domain, or an organizational unit (OU). The following instructions direct you to use a domain as a container and then to use security filtering to target the GPO to specific computers. For your environment, you might want to link the GPO to a different container, such as an OU. You can link to any Active Directory container that you want. Also, you can edit an existing GPO instead of creating a new GPO just for deploying the VPModule.msi. However, we do not recommend that you edit the Default Domain Policy or the Default Domain Controllers Policy.

Create a GPO for deployment of the VPModule.msi

Use one of the following methods to create a GPO for deployment of the VPModule.msi.

If you have Group Policy Management Console (GPMC) installed, follow these steps:

1. On an administrative workstation, open the Group Policy Management Console (GPMC).
2. In the console tree, right-click the domain name in the forest in which you want to create and link a Group Policy object (GPO).
3. Click Create and Link a GPO Here.
4. In the New GPO dialog box, specify a name for the new GPO, and then click OK.

If you do not have Group Policy Management Console (GPMC) installed, follow these steps:

1. On a domain controller or administrative workstation, open Active Directory Users and Computers.
2. Locate the OU that contains the computers where you want to deploy the VPModule.msi.
3. Right-click that OU, and then click Properties.
4. Click the Group Policy tab, and then click New.
5. In the New GPO dialog box, specify a name for the new GPO, and then click OK.

Edit a GPO for software deployment

After you create a distribution point and create a GPO for deployment of the VPModule.msi, you must modify the GPO by using the Software Installation and Maintenance feature of Group Policy. To deploy the VPModule.msi, you must use the Computer Configuration node in the Group Policy Object Editor.

To edit a GPO for software deployment, follow these steps:

1. Right-click the new GPO, and then click Edit.
2. In Group Policy Object Editor, click Computer Configuration, click Software Settings, and then click Software Installation.
3. On the Action menu, point to New, and then click Package.
4. In the Open dialog box, type the full Universal Naming Convention (UNC) path of the shared installer package that you want to distribute in the File name box. Type this path in the following format:
   \\ServerName\SharedFolder\VPModule.msi or \\ServerIP\SharedFolder\VPModule.msi
   Make sure that you use the UNC path of the shared installer package.
5. Select the Windows Installer package, and then click Open.
6. In the Deploy Software dialog box, click Assigned, and then click OK. The shared installer package that you selected appears in the right pane of Group Policy Object Editor.

Note ServerName and ServerIP are placeholders for the server name or IP address of the computer where the shared folder is located. SharedFolder is a placeholder for the shared folder that is on the server computer.

Deploy software to specific security groups

You can use security filtering in Group Policy to deploy the VPModule.msi only to computers that are members of a specific security group. For example, if you create a GPO at the domain level by using the procedure that this article describes, you can use security filtering to target the GPO only to the computers that you want. First, you must create the security group and add target computers as members.

To create a security group, follow these steps:

1. Right-click the domain or Active Directory container that you want to target, click New, and then click Group.
2. Name the security group.
3. Click the Members tab, and then click Add.
4. Type the computer names, and then click OK.

Target the VPModule.msi by using security filtering

1. In GPMC, double-click Group Policy Objects.
2. Click the GPO that you want to apply security filtering to.
3. In the results pane, click Add on the Scope tab.
4. In the Enter the object name to select box, type the name of the group, the user, or the computer that you want to add to the security filter, and then click OK.
5. If Authenticated Users appears in the Security Filtering section of the Scope tab, select this group, and then click Remove. This makes sure that only members of the group or groups that you added can receive the settings in this GPO.

Note The settings in a GPO apply only to the following users and computers:

• Users and computers that are contained in the domain, the OU, or the OUs where the GPO is linked.
• Users and computers that are specified in Security Filtering, or that are members of a group that is specified in Security Filtering.

You can specify multiple groups, users, or computers in the security filter for a single GPO.

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base: