Deploy Active Directory

por | 25 marzo, 2009

Deploying Sophos Anti-Virus through Active Directory group policy

You can use Active Directory in Windows 2000 and Windows 2003 to configure the group policy applied to a domain, so that Sophos Anti-Virus is automatically deployed to all Windows NT/2000/XP/2003 computers that join the domain. This does not require Enterprise Console to be installed on the network.

What to do

Create a batch file to run as a startup script. This checks all computers in the group when they start up, to see if Sophos Anti-Virus is installed. Any computers that are unprotected will have Sophos Anti-Virus installed.

If you have an existing default policy, you can edit it to incorporate the commands given here.

  1. On the computer where you want to create the startup script, open ‘Administrative Tools’.
  2. Open ‘Active Directory Users and Computers’.
  3. In the tree in the left-hand pane, right-click the domain and select ‘Properties’.
  4. Select the Group Policy tab.
  5. Make sure that ‘Default Domain Policy’ is selected and click ‘Edit’.
  6. In the Group Policy Object Editor in the left pane, browse to Computer Configuration|Windows Settings|Scripts.
  7. On the right-hand side, double-click ‘Startup’.
  8. In the ‘Startup Properties’ dialog box, click ‘Show Files’.
  9. In the window that opens, right-click and select New|Text Document.
  10. Rename this file to ‘InstallSAV.bat’.
  11. Right-click on ‘InstallSAV.bat’ and select ‘Edit’.
  12. Edit the file as follows:

    Note: Please read the instructions on editing the script.

    • To deploy to Windows 2000/XP/2003, enter the commands shown below
    • To deploy to Windows NT, use the same commands, but wherever ESXP occurs, substitute ESNT.

    @ECHO OFF
    REM --- Check for an existing installation of Sophos AutoUpdate
    if exist "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe" goto _End
    REM --- Deploy to Windows 2000/XP/2003
    \\<SERVER>\InterChk\ESXP\Setup.exe -updp "\\<SERVER>\InterChk\ESXP" -user "USER" -pwd "PWD" -mng yes
    REM --- End of the script
    :_End

    insert the relevant value names as follows:

    • SERVER is the name of the server that the Central Installation Directory (CID) resides on. Typically this is the server on which Enterprise Console is installed.
    • USER is the username of a user that has rights to access the files in the CID.
    • PWD is the password of the above user.

    insert the command line parameters as follows:

    • The ‘-updp’ parameter defines the primary update location. This can also be an HTTP address.
    • The ‘-mng’ parameter defines whether the installation will be managed by an installation of Enterprise Console. If you do not have an Enterprise Console, this parameter should have the value ‘no’.

    For more information, see command line parameters used by setup.exe.

  13. Save the file and close the window you were working in.
  14. In the Startup Properties dialog box, click ‘Add’.
  15. In the ‘Add a Script’ dialog box, click ‘Browse’.
  16. Select the file ‘InstallSAV.bat’ and click ‘Open’.
  17. Click OK|Apply|OK.

If you do not want to use a username and password in plain text in this startup script, you can obfuscate the username and password.


Instructions on editing the script

When editing these scripts, please note the following:

  • When you type a command into the editing window, the whole command must be on one line.
  • If you insert a line break, the command will not run.
  • You must disable word wrap.

Commands displayed in this article may appear to be on more than one line, however this is due to text-wrapping in this window. The text editor you use in the above procedure is not constrained in this way, provided word wrap has been disabled. In every example given here, the text:

\\<SERVER>\InterChk\ESXP\Setup.exe -updp "\\<SERVER>\InterChk\ESXP" -user "USER" -pwd "PWD" -mng yes

must all be on one line.


Sample startup scripts

The following startup scripts provide examples of how to run additional checks for existing installations of Sophos software and how to exclude certain computers from installing via this script.

Checking for an existing installation of Sophos Anti-Virus

@ECHO OFF
REM --- Check for an existing installation of Sophos Anti-Virus
if exist "C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe" goto _End
REM --- Deploy to Windows 2000/XP/2003
\\<SERVER>\InterChk\ESXP\Setup.exe -updp "\\<SERVER>\InterChk\ESXP" -user "USER" -pwd "PWD" -mng yes
REM --- End of the script
:_End

Excluding specific servers from being installed to by this script

@ECHO OFF
REM --- Check for an existing installation of AutoUpdate
if exist "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe" goto _End
REM --- Check for servers not to install to
if %COMPUTERNAME% == SERVER1 goto _End
if %COMPUTERNAME% == SERVER2 goto _End
REM --- Deploy to Windows 2000/XP/2003
\\<SERVER>\InterChk\ESXP\Setup.exe -updp "\\<SERVER>\InterChk\ESXP" -user "USER" -pwd "PWD" -mng yes
REM --- End of the script
:_End

If you need more information or guidance, then please contact technical support.