Installing an application through Active Directory group policies

Kaspersky Security Center allows you to install Kaspersky applications on managed devices by using Active Directory group policies.

You can install applications by using Active Directory group policies only from installation packages that include Network Agent.

To install an application using Active Directory group policies:

1. Start configuring the application installation by using Remote installation wizard.
2. In the Defining remote installation task settings window of the Remote installation wizard, select the Assign package installation in Active Directory group policies option.
3. In the Select accounts to access devices window of the Remote installation wizard, select the Account required (Network Agent is not used) option.
4. Add the account with administrator privileges on the device where Kaspersky Security Center is installed or the account included in the Group Policy Creator Owners domain group.
5. Grant the permissions to the selected account:
   1. Go to Control Panel → Administrative Tools and open Group Policy Management.
   2. Click the node with the required domain.
   3. Click the Delegation section.
   4. In the Permission drop-down list, select Link GPOs.
   5. Click Add.
   6. In the Select User, Computer, or Group window that opens, select the necessary account.
   7. Click OK to close the Select User, Computer, or Group window.
   8. In the Groups and users list, select the account that you have just added, and then click Advanced → Advanced.
   9. In the Permission entries list, double-click the account that you have just added.
   10. Grant the following permissions:
       • Create Group objects
       • Delete Group objects
       • Create group Policy Container objects
       • Delete group Policy Container objects
   11. Click OK to save the changes.
6. Define other settings by following the instructions of the wizard.
7. Run the created remote installation task manually or wait for its scheduled start.

The following remote installation sequence starts:

1. When the task is running, the following objects are created in each domain that includes any client devices from the specified set:
   • Group policy object (GPO) under the name Kaspersky_AK{GUID}.
   • A security group that corresponds to the GPO. This security group includes client devices covered by the task. The content of the security group defines the scope of the GPO.
2. Kaspersky Security Center installs the selected Kaspersky applications on client devices directly from Share, that is, the shared network folder of the application. In the Kaspersky Security Center installation folder, an auxiliary subfolder will be created that contains the .msi file for the application to be installed.
3. When new devices are added to the task scope, they are added to the security group after the next start of the task. If the Run missed tasks option is selected in the task schedule, devices are added to the security group immediately.
4. When devices are deleted from the task scope, they are deleted from the security group after the next start of the task.
5. When a task is deleted from Active Directory, the GPO, the link to the GPO, and the corresponding security group are deleted, too.

If you want to apply another installation schema using Active Directory, you can configure the required settings manually. For example, this may be required in the following cases:

• When the anti-virus protection administrator does not have rights to make changes to the Active Directory of certain domains
• When the original installation package has to be stored on a separate network resource
• When it is necessary to link a GPO to specific Active Directory units

The following options for using an alternative installation scheme through Active Directory are available:

• If installation is to be performed directly from the Kaspersky Security Center shared folder, in the GPO properties you must specify the .msi file located in the exec subfolder of the installation package folder for the required application.
• If the installation package has to be located on another network resource, you must copy the whole exec folder content to it, because in addition to the file with .msi extension the folder contains configuration files generated when the package was created. To install the license key with the application, copy the key file to this folder as well.