So here is the formal step-by-step I created for setting up Adobe Reader 8 as a Managed Application. See the following PDF manual (ironic as that sounds) for additional information: http://www.adobe.com/devnet/acrobat/pdfs/gpo_ad_8.pdf
Go to the Adobe site to download the installer:
http://www.adobe.com/products/acrobat/readstep2_servefile.html?option=full&order=1&type=&language=English&platform=WinXPSP2&esdcanbeused=1&esdcanhandle=1&hasjavascript=1&getsconly=1&x=76&y=25
This installer EXE file is small. When you run it, it downloads the actual Adobe Reader 8 EXE file. Save the large (~21 MB) Adobe Reader 8 EXE file to your desktop -- don't run it.
Now it would be best to create a shared folder on a commonly-accessible network drive that will hold all of the Adobe Reader 8 installation files that you are about to create. This folder is referred to by Adobe as the “distribution point”.
This next step is small but important! Once you make this folder, right-click on it and select Properties. Now select the Security tab. Add the security group “Domain Computers” to this list. If you don’t, none of the client workstations will have the rights to access the installation files.
Then follow the directions on this obscure knowledge base article to create an MSI file from this EXE file: http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=kb400540
I tried it and it works: it creates the MSI. But here’s the thing: you can’t push this MSI out to clients. According to another document that Adobe put out, you have to do an "administrative installation" of that MSI first. To do this, you have to do a Start / Run and type in:
Msiexec /a \\INSERT PATH
HERE\AcroPro.msi
Then when it asks you where you want to install the files, you need to tell it to install the files into your distribution point.
Now that you’ve got the distribution point all set up, you will want to customize the your client-side version of Adobe Reader 8. This step is optional, but skipping it might lead to a large amount of user-induced pain. To customize, use the Adobe Customization Wizard, which can be downloaded here:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=3564
Once you’ve downloaded and installed the Adobe Customization Wizard, run it and open up the MSI file in your distribution point. Here are some changes that I recommend:
- Under Personalization Options, set Installation Path to your distribution point path
- Under Installation Options, select Run Installation Silently and Suppress Reboot
- Under Shortcuts, uncheck the worthless Desktop shortcut
- Under EULA and Online Features, check Suppress display of End User License Agreement (EULA), check Disable all updates, and check In Adobe Reader, disable Help > Purchase Adobe Acrobat
- Under Toolbars and Document Status, check Do not show Beyond Reader at startup and
check Disable Adobe Online Services
Once you’ve set up Adobe Reader 8 the way you want it set up, click Save and it will prompt you for a location to save an MST file. Save this MST file in your distribution point. This file contains all the changes you just made.
If you get an error message when you save this MST file, it’s because the admin installer utility forgot to put a file called ‘setup.ini’ into the distribution point folder that contains the MSI file. You will have to create it and put into your distribution point if you need it. The file should look like this:
[Startup]
RequireOS=Windows 2000
RequireMSI=3.0
RequireIE=6.0.2600.0
CmdLine=/sall /rs
[Product]
msi=AcroRead.msi
CmdLine=TRANSFORMS="AcroRead.mst"
[Windows 2000]
PlatformID=2
MajorVersion=5
ServicePackMajor=4
[MSI
Updater]
Path=http://ardownload.adobe.com/pub/adobe/reader/win/8.x/8.0/misc/WindowsInstaller-KB893803-v2-x86.exe
Now you’re ready to create a GPO in Group Policy Management. Right-click on the appropriate OU and select Create and Link a GPO Here… . Name your new GPO and hit Enter.
Right-click on your new GPO and select Edit… . Go to Computer Configuration / Software Settings / Software installation. Right-click in the right-hand pane and select New / Package… .
Browse to the MSI file in your distribution point and click Open. Now select Advanced and click OK.
Under the Deployment tab, select Assigned. Leave “Uninstall this application when it falls out of the scope of management” unchecked.
Under the Modifications tab, click the Add… button. Now browse for the MST file that you created in steps 7-9 (it should be in your distribution point).
Click Apply, then click OK.
Now a couple more edits need to be made to this GPO within the Group Policy editor. Go to Computer Configuration / Administrative Templates / Windows Components / Windows Installer.
Double-click Always install with elevated privileges, change to Enabled, then Apply and click OK.
Double-click Logging, change to Enabled, and in the text box, type iweaprcv and click Apply then OK.
Your GPO is now live, so you may want to unlink it at this time…particularly because we still have to tackle the workstations that still have Adobe Reader 5 installed.
Don't forget about the short script thtat checks a PC to see if Adobe Reader 5 is installed, and if so, uninstalls it from that PC. You will create another GPO that runs this script at startup on
all your client workstations.
Save this script into your distribution point. Then create a new GPO like
you did in step 10.
Right-click on your new GPO and select “Edit…”. Go to Computer Configuration / Windows Settings / Scripts / Startup. Click the Add… button. Browse to your script file and click Open, then OK. Click Apply, then click OK.
Now your Adobe Reader 5 removal GPO is live. If both of these GPOs are live, then when a client in the OU restarts, first Reader 8 will get pushed to the client, then any existing version of Reader 5 will be uninstalled. Unfortunately, I have found through testing that doing these two actions in this order is problematic: the uninstall ends up messing up a small part of the Reader 8 installation. So my recommendation is to first turn on just the Reader 5 GPO and let it remove Reader 5 from your client workstations for several days. Then once all or most of your workstations are clear of Reader 5, turn on the Reader 8 push.
If, in spite of your efforts, the Reader 5 removal happens after the Reader 8 push on a particular workstation, one of two things might happen:
a) When launching Reader 8 for the first time, Windows has to rebuild some of the application files for Reader 8 that got deleted by the uninstall. This process can take as much as 10-15 minutes, but it seems to work.
b) The file association for PDF gets somehow zapped by the uninstall. The user would have to
know or be assisted to re-associate PDF with Adobe Reader 8.
Good luck!
3 comments:
I realize that this is an old post, and I'm months behind on the comment, but it deserves a comment.
The adobe documentation and your guide here both instruct people to enable the 'Always Install with Elevated Privileges' group policy option.
This is very bad, and dangerous. It lets any non-privileged user to install any MSI software as SYSTEM, even if they have no admin privileges on the box. This effectively lets anyone trivially own a box that they are a non-admin user on.
You should never suggest this, and Adobe should be taken to task for something as silly as this.
When you push out installs via gpo tied to the computer config (as opposed to user), then the installs happen at boot time, and automatically run as SYSTEM. You dont need this policy setting to get these installs to run with elevated privileges, as gpo distributed policies get that by default.
I totally agree with the last comment... Adobe's flagship and background is Photoshop which is not a network type application and 99% of Photoshop users usually have admin rights...
All Adobe installations are created to run for people with admin priviledges and by doing this, they are not respecting the corporate desktop.
Adobe is not doing a very good job in providing applications to the corportate networks. Adobe is commiting many "faux pas" and should be kicked in the teeth for tampering with and not respecting or understanding corporate desktop configurations/end user priviledges.
Rather than correcting security issues created by their non understanding of admin priviledges, Adobe releases updates that are complete new versions of their software which usually forces the corporate world to re-test and re-desing its dependant applications to adapt and function with their releases
I too agree that as your blog is step by step process of doing this so its really easy to follow.But here I wanted to add that Adobe photoshop is really a great software but I always feel that it eat up all my system resources and make it very slow.Is there any solution to it?
Post a Comment