9   Group Policy-Active Directory

Acrobat products have always supported post deployment configuration via GPO, but the 11.0 release marks the first time that Adobe has created certified ADM templates for Group Policy. The Windows Server Group Policy Objects (GPO) and the Active Directory services infrastructure enables IT to automate one-to-many management of computers. Administrators can implement security settings, enforce IT policies, and distribute software across a range of organizational units. With the software installation extension of GPO, you can provide on-demand software installation and automatic repair of applications.

When you need to further configure applications after deployment, you can use ADM templates to propagate the requisite settings across your organization. The Group Policy settings that you create are contained in a GPO. To create a GPO, use the Group Policy Management Console (GPMC), which is available for download from the Microsoft website at http://www.microsoft.com/downloads/details.aspx?FamilyID=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en.

Note

The product only supports per MACHINE installs. It does not support per-USER installs.

9.1   Starter templates

11.0 introduced two starter templates for Acrobat and Reader. These templates contain a few of the most important settings, but you can use the Preference Reference to extend them further.

9.2   Tested environments

The procedures in this document were tested in the following environments:

  • Acrobat 11.x:

    • Client computers running on OS versions Windows XP, Windows 7, and Windows 8 (32 & 64-bit clients).
    • Server computers running Windows Server 2008 R2 Enterprise Edition 64-bit.
  • Acrobat 10.x:

    • Client computers running on OS versions defined by the publish system requirements.
    • Server computers running Windows Server 2008 Enterprise Edition.
  • Acrobat 9.x:

    • Client computers running Windows 2000 Professional Service Pack 4 (Adobe Reader only), Windows XP Professional Service Pack 2 and later, and Windows Vista 32-bit and 64-bit.
    • Server computers running Windows Server 2003 Enterprise Edition.

9.3   Using an MST with GPO

If you’ve used the Wizard to create a transform MST file for a custom installation, you apply that MST while installing the application during deployment of the GPO package. At a high level, the steps include:

  1. Create the MST file.
  2. Select the MST via the Modification tab.
  3. Complete the standard GPO package deployment

9.4   10.x+ GPO deployments

While the GPO templates have only been tested with 11.x and later, 10.x and 11.x deployments use the same methodology as follows:

  1. Create an AIP.
  2. Copy the AIP folder and rename it as the patch version; for example, 10.0.1.
  3. Slipstream the patch into the 10.0 MSI.
  4. Open a command prompt and CD to the patch version copy of the AIP.
  5. Create the AIP via msiexec /a [MSI file name] /p [MSP file name]
  6. Add a new package to the original GPO in the standard way without moving existing packages.
  7. Point to the new MSI.
  8. In the Deploy Software dialog, choose Advanced to bring up the properties menu for the package.
_images/GPO1.png
  1. On the Properties page’s General tab, rename the package to <product name + version> to distinguish this package. This name will appear in the Add/Remove Programs entry of the client system when the update is installed.
_images/GPO2.png
  1. Switch to the Deployment tab.
  2. Optional: If you need to Uninstall this application when it falls out of the scope of management setting, select the Deployment tab and select that checkbox. This will uninstall the application and patch automatically when the scope of the GPO changes or the package is removed from the GPO.
_images/GPO3.png
  1. Select the Upgrades tab.
  2. Choose the current package (in this case 10.0).
  3. Choose Add.
_images/GPO5.png
  1. In the Add Upgrade Package dialog, do the following:
    1. Select Current GPO.
    2. Select the package you want to upgrade.
    3. Select Package can upgrade over the existing package to ensure that this will be an upgrade instead of uninstall/reinstall.
_images/GPO4.png
  1. Choose OK.
  2. Review the summary.

Users under a GPO policy will now get the latest update after the group policy refreshes and a computer restart. This procedure can be repeated for all patches.

_images/GPO6.png

9.5   9.x GPO deployments

All GPO-based deployment is managed using the Group Policy Management Console.

To start the Group Policy Management Console:

  1. Log on as a Domain Administrator.
  2. Open the Group Policy Management Console.

9.5.1   Assign the application to a computer:

  1. Right-click Group Policy Objects.
  2. Choose New.
  3. In the New GPO dialog box, enter a descriptive name for the new policy.
  4. Choose OK.
  5. In the left-hand panel, expand Group Policy Objects.
  6. Highlight the new policy name you just created.
  7. On the Scope tab, choose Add in the Security Filtering section.
  8. Choose Object Types in the Select User, Computer, or Group dialog box.
  9. Choose Computers in the Object Types dialog box,
  10. Choose OK.
  11. Check the Enter the object name to select text check box in the Select User, Computer, or Group dialog box.
  12. Enter the name of the computer to which you want to deploy the software. (To browse available computer names, choose Advanced > Find Now.)

Note

Repeat this step for all computer names to which you want to deploy software. Assigning the install to users is not supported. You cannot use GPO installs with Control Panel installs.

  1. Choose OK to close the Select User, Computer, or Group dialog box.

  2. In the console’s left panel, right-click the policy name that you initially created.

  3. Choose Edit.

  4. Expand Computer Configuration in the left panel n the Group Policy dialog box.

  5. Expand Software Settings.

  6. Right-click Software installation.

  7. Choose New > Package.

  8. In the Open dialog box, browse to the AIP you created.

  9. Select the MSI file containing the installer you want to deploy.

  10. Choose Open.

  11. In the Deploy Software dialog box, do one of the following:

    • If you do not plan to apply transforms, select Assigned > OK.
    • If you plan to apply transforms during installation, select Advanced > OK.
  12. In the Properties dialog box for the package you created:

    1. Choose the Deployment tab.
    2. Select Uninstall this application when it falls out of the scope of management.
    3. If you plan to deploy in multiple languages, choose Advanced.
    4. In the Advanced Deployment Options dialog box, choose Ignore language when deploying this package.
    5. Choose OK.
  13. On the Modifications tab, specify any modification transforms you want to apply when the package is installed by choosing Add and then opening each transform from its network location.

  14. On the Security tab, verify the name(s) of any computer(s) to which you are assigning software.

  15. Choose OK to close the Properties dialog box.

  16. In the Group Policy dialog box, expand Computer Configuration > Administrative Templates > Windows Components.

  17. In the Windows Components folder, select Windows Installer.

  18. Select Always install with elevated privileges.

  19. Select Properties.

  20. In the Always install with elevated privileges Properties dialog box, choose the Setting tab > Enabled > OK.

  21. Configure logging:

    1. In the Windows Installer panel of the Group Policy dialog box, right-click Logging.
    2. Select Properties.
    3. Choose Enabled on the Setting tab.
    4. Enter iweaprcv in the Logging text box.
    5. Choose OK.
  1. In the Group Policy dialog box, choose File > Exit.
  2. In the Group Policy Management Console, expand Forests and Domains.
  3. Right-click the Acrobat OU to which you want to link the GPO that you created earlier in this procedure, and then select Link an Existing GPO.
  4. In the Select GPO dialog box > Group Policy objects list > the GPO you created > OK.

The GPO must be propagated to the Active Directory Global Catalog and then to the individual computers. For this reason, allow 5-10 minutes before restarting the computers to which you are assigning the Acrobat software, or plan to restart the client computers twice before the system policies are synchronized.

9.6   Removing products via GPO

Removing Acrobat products by using GPOs requires unlinking the Active Directory OU from the GPO currently enabling the software to run.

To remove Acrobat products that are assigned to a computer, unlink the GPO from the OU, or remove the computer from the OU and GPO. The software will be removed the next time the computer restarts.

9.7   Acrobat’s starter GPO template

Acrobat 11.0 introduces a certified, starter GPO template that administrators can extend to include any other preference. The template is delivered in two formats:

  • ADM: For operating systems before Vista and 2008, though they do work on those OS’s.
  • ADMX: For Vista and 2008 servers that can consume the newer XML format.

Available settings in each of the formats are identical. Acrobat and Reader templates are similar with the exception that the Reader template does not provide preferences which are Acrobat-only. Template preferences fall into these broad categories:

  • General enterprise settings: Features such as disabling updates and setting the default PDF handler.
  • Security: Application security features such as enhanced security, sandboxing, and JS controls.
  • TrustManager: Trusting Windows OS security zones as defined in Internet Explorer.
  • Digital Signatures: Adobe Acrobat Trust List integration.

Template usage

  1. Download the files that are appropriate for your system and product type.
  2. Review the files. Other preferences documented in the Preference Reference may be added.
  3. Integrate the files into your standard GPO management process.

9.8   Creating GPO Templates

You can create GPO templates that will enable configuration of almost any feature as long as you conform to the Microsoft format. For more information, see:

Note

Populate the template fields with information from the Preference Reference.

GPO template: for Accessibility

CLASS USER
   CATEGORY "Accessibility"

    POLICY "bOverridePageLayout"
     KEYNAME "SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\Access"
     VALUEON NUMERIC 0
     VALUEOFF NUMERIC 1
     VALUENAME "bOverridePageLayout"
     EXPLAIN "Toggles the ability of the application to override the page layout embedded in the PDF."
     SUPPORTED "Adobe Reader 9.0"
    END POLICY

    POLICY "bOverrideZoom"
     KEYNAME "SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\Access"
     VALUEON NUMERIC 0
     VALUEOFF NUMERIC 1
     VALUENAME "bOverrideZoom"
     EXPLAIN "Enables the zoom setting drop down list so that the user can specify a default zoom setting for all documents."
     SUPPORTED "Adobe Reader 9.0"
    END POLICY

    POLICY "bOverrideLineArtColors"
     KEYNAME "SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\Access"
     VALUEON NUMERIC 0
     VALUEOFF NUMERIC 1
     VALUENAME "bOverrideLineArtColors"
     EXPLAIN "Limits color changes to black text and line art when iAccessColorPolicy is enabled and a replacement color has been specified."
     SUPPORTED "Adobe Reader 9.0"
    END POLICY

    POLICY "bUseStructTabOrder"
     KEYNAME "SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\Access"
     VALUEON NUMERIC 0
     VALUEOFF NUMERIC 1
     VALUENAME "bUseStructTabOrder"
     EXPLAIN "Specifies whether to use the PDF document structure for determining the tab order. "
     SUPPORTED "Adobe Reader 9.0"
    END POLICY

    POLICY "bShowKeyboardSelectionCursor"
     KEYNAME "SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\Access"
     VALUEON NUMERIC 0
     VALUEOFF NUMERIC 1
     VALUENAME "bShowKeyboardSelectionCursor"
     EXPLAIN "Specifies whether the keyboard selection cursor should always be active in the document."
     SUPPORTED "Adobe Reader 9.0"
    END POLICY

    POLICY "bUseSystemSelectionColor"
     KEYNAME "SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\Access"
     VALUEON NUMERIC 0
     VALUEOFF NUMERIC 1
     VALUENAME "bUseSystemSelectionColor"
     EXPLAIN "Specifies whether the default selection color (blue) is overridden with a color that the system specifies."
     SUPPORTED "Adobe Reader 9.0"
    END POLICY

    POLICY "bUseDetailsNavigator"
     KEYNAME "SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\Access"
     VALUEON NUMERIC 0
     VALUEOFF NUMERIC 1
     VALUENAME "bUseDetailsNavigator"
     EXPLAIN "Specifies whether to show PDF Portfolio component files and file details in an accessible list. "
     SUPPORTED "Adobe Reader 9.0"
    END POLICY

    POLICY "bUsePlatformNavigator"
     KEYNAME "SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\Attachments"
     VALUEON NUMERIC 0
     VALUEOFF NUMERIC 1
     VALUENAME "bUsePlatformNavigator"
     EXPLAIN "Specifies whether to always show portfolios in an accessible view. "
     SUPPORTED "Adobe Reader 9.0"
    END POLICY

    POLICY "bAutoSaveDocsEnabled"
     KEYNAME "SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\AutoSaveDocs"
     VALUEON NUMERIC 0
     VALUEOFF NUMERIC 1
     VALUENAME "bAutoSaveDocsEnabled"
     EXPLAIN "Specifies whether or not to automatically save documents."
     SUPPORTED "Adobe Reader 9.0"
    END POLICY

    POLICY "bAutoFill"
     KEYNAME "SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\"
     VALUEON NUMERIC 0
     VALUEOFF NUMERIC 1
     VALUENAME "bAutoFill"
     EXPLAIN "Locks the auto-fill functionality on or off and disables the corresponding user interface item."
     SUPPORTED "Adobe Reader 9.0"
    END POLICY

    POLICY "xdata"
     KEYNAME "SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FormsPrefs\cRequiredFieldHLColor"

     VALUENAME "xdata"
     EXPLAIN "The default color for required fields in forms."
     SUPPORTED "Adobe Reader 9.0"
    END POLICY

    POLICY "bRuntimeHighlight"
     KEYNAME "SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FormsPrefs\cRuntimeBGIdleColor"
     VALUEON NUMERIC 0
     VALUEOFF NUMERIC 1
     VALUENAME "bRuntimeHighlight"
     EXPLAIN "Specifies whether to show a field border color on hover. "
     SUPPORTED "Adobe Reader 9.0"
    END POLICY

    POLICY "bAutoCompleteOnTab"
     KEYNAME "SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FormsPrefs"
     VALUEON NUMERIC 0
     VALUEOFF NUMERIC 1
     VALUENAME "bAutoCompleteOnTab"
     EXPLAIN "Specifies whether to auto complete form field entries on a tab key action."
     SUPPORTED "Adobe Reader 9.0"
    END POLICY

    POLICY "bStoreNumericEntries"
     KEYNAME "SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FormsPrefs"
     VALUEON NUMERIC 0
     VALUEOFF NUMERIC 1
     VALUENAME "bStoreNumericEntries"
     EXPLAIN "Specifies whether to store user entered numeric values."
     SUPPORTED "Adobe Reader 9.0"
    END POLICY

    POLICY "bFocusRect"
     KEYNAME "SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FormsPrefs"
     VALUEON NUMERIC 0
     VALUEOFF NUMERIC 1
     VALUENAME "bFocusRect"
     EXPLAIN "Specifies whether to surround a field with a rectangle when it has focus."
     SUPPORTED "Adobe Reader 9.0"
    END POLICY

    POLICY "bInlineAutoComplete"
     KEYNAME "SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FormsPrefs"
     VALUEON NUMERIC 0
     VALUEOFF NUMERIC 1
     VALUENAME "bInlineAutoComplete"
     EXPLAIN "Specifies whether to auto complete a field based on remembered values when a user starts typing."
     SUPPORTED "Adobe Reader 9.0"
    END POLICY

    POLICY "bRecordNewEntries"
     KEYNAME "SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FormsPrefs"
     VALUEON NUMERIC 0
     VALUEOFF NUMERIC 1
     VALUENAME "bRecordNewEntries"
     EXPLAIN "Specifies whether to remember form field entries for use with future auto-complete actions."
     SUPPORTED "Adobe Reader 9.0"
    END POLICY

    POLICY "bRuntimeHighlight"
     KEYNAME "SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FormsPrefs"
     VALUEON NUMERIC 0
     VALUEOFF NUMERIC 1
     VALUENAME "bRuntimeHighlight"
     EXPLAIN "Specifies whether to highlight fields during data entry."
     SUPPORTED "Adobe Reader 9.0"
    END POLICY

    POLICY "bUserAskedToEnableAutoComplete"
     KEYNAME "SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\FormsPrefs"
     VALUEON NUMERIC 0
     VALUEOFF NUMERIC 1
     VALUENAME "bUserAskedToEnableAutoComplete"
     EXPLAIN "Specifies whether the user is asked to enable auto complete at runtime."
     SUPPORTED "Adobe Reader 9.0"
    END POLICY

    POLICY "bAccessOverrideDocColors"
     KEYNAME "SOFTWARE\Policies\Adobe\Acrobat Reader\9.0\Originals"
     VALUEON NUMERIC 0
     VALUEOFF NUMERIC 1
     VALUENAME "bAccessOverrideDocColors"
     EXPLAIN "Specifies whether to replace black test or line art colors when iAccessColorPolicy is enabled and a replacement color has been specified."
     SUPPORTED "Adobe Reader 9.0"
    END POLICY

   END CATEGORY