How to install an update to all the machines via group policy

It sounds like you're saying that you want to use Group Policy Preferences (GPP). You've found that your Windows XP clients will ignore the settings w/o having the Group Policy Preference Client Side Extensions for Windows XP (KB943729) update loaded.

You can "map" "drives" other ways, but GPP is rather nice, so having the update loaded to clients is probably a good thing.

Assuming your users don't have "Administrator" rights (they really shouldn't, and if they do you're doing it wrong), a logon script isn't going to help you. This is a job for something like a computer startup script.

The easiest way to get this on all your machines would be to stick the update in a central location on a server computer, and assign a computer startup script to all the clients that installs the update. You could do this with something like:

Here's a quick-and-dirty walkthru:

• Download the "Windows-en-US-KB943729.exe" update and place it into the \domain-controller-name\netlogon folder.

• Create a new group policy object linked to an OU above the client computers. If they're in the default "Computers" container at the root of the directory, create this new GPO at the root of the directory. Name the GPO something like "Install KB943729 Update to Windows XP Clients" (something you'll remember in 6 months).

• In that new GPO, go to "Computer Configuration", "Windows Settings", and "Scripts". Head into the "Startup Scripts" dialog.

• Click the "Show Files..." button in the Startup Scripts" dialog. Create a new text file there, and rename it to something like "Install_KB943729.cmd" (be sure it loses the ".TXT" extension). Right-click and "Edit" that file in Notepad.

• Paste the script below these steps into that file and save it. Be sure to modify the "SET DC_NAME=" line of the script to indicate your domain controller computer's name after the "=" (no "\" before name, etc).

• Return to the "Startup Scripts" dialog (closing the folder opened by "Show Files...") and click "Add...". Click "Browse..." and choose the "Install_KB943729.cmd" you created. (Verify again that the ".txt" extension has been changed, too.)

• Close the "Startup Scripts" dialog. Go into "Administrative Templates" under "Computer Configuration". Dig down to "System" and "Scripts". Locate the policy setting in the right pane "Run startup scripts visible" and set the setting to "Enabled". This will let you see the script run in a Window during boot on the clients. Once you know the script is running okay you can turn this setting off.

• Reboot a client and see the script run during boot. Assuming all your DNS settings are good, etc, the client will have the GPO you created applied and run the script.

• When all the clients are updated either delete the GPO and the .EXE in the "Netlogon" folder, unlink the GPO and keep it around should you need it in the future. (Running a startup script on every computer needlessly on every boot will add some minor delay to boot. There are ways with group membership that you could make this more elegant and only execute once, but I'm going for quick-and-dirty here.)

The script to paste:

@echo off
SET DC_NAME=domain-controller-computer-name-here

rem Check to see this is Windows XP
ver | find "Windows XP" >NUL
if errorlevel 1 goto end

rem Check to see if the update is already installed
reg QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP20\KB943729" >NUL 2>NUL
if errorlevel 1 goto install_update
goto end

:install_update
\\%DC_NAME%\netlogon\Windows-en-US-KB943729.exe /passive /norestart

:end

It would be better if you installed Windows Server Update Services and pushed out the update that way, since it would also give you centralized deployment of Windows / Microsoft application software updates in the future, but that's a bigger can of worms. Have a look at it, though. You want to be using WSUS.

I'm happy to see you're looking into using Group Policy. Many Windows admins have no idea about it. I've been in some very large companies (one a Fortune 1000 company) that didn't use Group Policy at all (in 2008, no less). If you're not already familiar with how policy application order works, how to do filtering by security groups or WMI filters, you should do some reading-up and trial exercises, because you'll like those features and find them handy. (For bonus points, learn about Loopback Group Policy Processing for added fun and functionality.)