Introduction
This is a guide to deploying the Quickpass Agent via Microsoft Group Policy for On Premise Active Directory Environments.
Prerequisites
- Customers created in the Quickpass Dashboard
- Group Policy Understanding
- Domain Admin rights to the Domain you are configuring the Group Policy
- A copy of a PowerShell script that you know works for your customer.
- You can use the one from our KB as a guide and modify the appropriate values.
Sample PowerShell Script - Your PowerShell Script will have to have the InstallToken and AgentID IDs hard coded PER Customer
- Ensure that you have reviewed and understand the Install Token and Agent ID Values
https://support.getquickpass.com/hc/en-us/articles/360061942274-Export-Customers-List-Status-and-Agent-ID-s - Review the Scripted Agent Installation KB Article to understand what each Powershell Parameter will do
https://support.getquickpass.com/hc/en-us/articles/4413576799639-Scripted-Agent-Installation
- You can use the one from our KB as a guide and modify the appropriate values.
- This process describes how to use the "System" Account to Install as Administrator however any account can be used that has Administrator Privileges.
Implementation
Prepare the script
- Create a PowerShell script and test it on an AD Workstation or AD Member to ensure that your hardcoded values will work in your customer environment
- Copy that script to a File Share or use a GPO Startup Script Location
- If using a File Share make sure that the DOMAIN COMPUTERS security group has access to that Share and Folder
- You can use the SysVOL share which all Domain joined systems have access to. See the Group Policy section (Step 7) below for these instructions.
Adding a Task to Push to Domain Systems
- Log on to a Domain Controller as a Domain Admin
- Open the Group Policy Management Console for the Domain
- Decide what OU level you want this to be configured for
- You can use a Sub OU to run a test on a sample set of Computers (this is a Computer Based Group Policy) or you can set the Policy at the Root of the Domain and specify a Security Group Containing the computers you want to trial this for.
- Once your Proof of Concept has been confirmed to work, then you can add the Group Policy to other OUs or add additional computers to the Defined Security Group
- Right click the location you want to start configuring this Policy on and select "Create a GPO in this Domain and Link it Here
- Name the GPO something appropriate for what you are trying to accomplish
- Right Click that new GPO that you created and Select Edit
- If you want to use the SysVol location to store the PowerShell script to execute, please follow these steps. If using a FileServer/Shared Folder please move on to Step 8
- Expand Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup/Shutdown)
- Double Click Startup
- Click Show Files
- Paste the tested script into this Folder
- Hold Shift and Right Click the Script you just pasted
- Select Copy as Path (save this for step 11.3) or paste into Notepad (or similar) to ensure you have the full script location
- DO NOT link the Script to the Policy, simply save the PowerShell File in that location.
- Select Copy as Path (save this for step 11.3) or paste into Notepad (or similar) to ensure you have the full script location
- Expand Computer Configuration -> Preferences -> Control Panel Settings -> Scheduled Tasks
- Right Click on Scheduled Tasks and select New -> Immediate Task (At least Windows 7)
- Populate the following Values
- Name - Give the Task a Name (Required Value)
- Description - Describe what the Task Does (Optional)
- Security Options
- Click Change User or Group
- Type in System -> Click OK
- Select Run whether user is logged on or not
- Check the "Run with Highest Privileges" box
- Select the Actions Tab
- Click NEW
- Select Start a Program (usually this is the default)
- In the Program/Script box type - PowerShell.exe
- In the Add Arguments box type:
-ExecutionPolicy Bypass -command "& 'PATHTOSCRIPT\Scriptname.ps1'"
- Change PATHTOSCRIPT to the location of the PowerShell Script
- ex \\servername\share
- ex '\\domain.local\SysVol\domain.local\Policies\{E0717B59-A69E-4915-A40E-424DA4537237}\Machine\Scripts\Startup\QPInst.ps1'"
- Change Scriptname.ps1 to the name of the script
- Change PATHTOSCRIPT to the location of the PowerShell Script
- Click OK
- Click NEW
- You can define Conditions if you want to on the Conditions Tab
- Click the Settings Tab
- Check the "Allow task to be run on Demand" if you want the task to able to be executed by the System's Scheduled Task Panel
- It is suggested to NOT check the "If the task fails, restart every" box.
- Check the "Stop the task if it runs longer than:" and set the interval to 1 hour
- You don't want the task running for that long
- Check the "If the running task does not end when requested, force it to stop"
- This will terminate the process if it is stuck.
- Set the "If the task is already running, then the following rule applies" section to "Do not start a new instance"
- Click the Common Tab
- Click the "Apply once and do not reapply" box
- This prevents the installation from repeatedly trying to install.
- Click the "Apply once and do not reapply" box
- Click OK
- Now you will want to test on a sample set of workstations or servers.
- Create a Security Group and add a few Computers to that Group (remember this Policy applies to the Computer not the user)
- In the Security Filtering section of the Policy you just created click ADD and add that newly created Group to the list.
- Once you have tested that this works on those machines, you can remove the Group entirely from the Security Filtering List or add additional machines to the Group.
Troubleshooting
- If there is an error in your syntax or if the task executes but doesn't install the agent, remove the task from the machine and run a GPUPDATE /Force on the system to force the task to execute again.
Comments
0 comments
Please sign in to leave a comment.