Alternative Office 2007 Deployment Methods

I don’t recommend using GPSI to deploy Office 2007, but there are several other deployment methods that you can use. I’ve already discussed using the Office2007_Deploy.vbs script and Group Policy startup scripts to deploy Office 2007 in “Automating Office 2007 Deployment,” InstantDoc ID 97016. Now, let's take a look at how you can deploy Office 2007 by creating a scheduled task or using either the PsExec or CPAU free tool.

Scheduled Task
You can deploy Office Setup by creating a scheduled task that executes the Office2007_Deploy.vbs script. The schtasks.exe command

schtasks.exe /create /s desktop101 /tn "Deploy Office" /tr "cscript.exe
\\\software\office\sdp\INTELLIEM_Setup\Office2007_Deploy.vbs" /ru SYSTEM /sc ONCE
/ST 12:14 \[/v1 \]

lets you do just that. (Note that this command and some of the other commands in this article wrap to multiple lines because of space constraints; however, these commands should actually be typed on one line.) The schtasks.exe command creates a task called Deploy Office on the Desktop101 computer (note that the task name can be any name you want). The task executes cscript.exe with the path to the script in the CompanyName _Setup folder (INTELLIEM_Setup in our example). If the path to the script includes a space, see the JSI FAQ ( for information about how to include quotes in your task. The task will run one time as the System account at 12:14 p.m. Note that you’ll need to change the time so that it's appropriate for your organization's requirements.

Scheduled tasks work quite differently on Windows Vista than on previous Windows versions. If you're running schtasks.exe on a Vista machine to deploy the script to a Windows XP machine, you need to add the /v1 switch. Note that you can't run schtasks.exe on an XP (or Windows Server 2003) system to create a task on a remote Vista machine.

When you’re ready to run the schtasks.exe command, use the PsExec utility (described in more detail shortly) to do so, as follows:

psexec \\desktop101 schtasks.exe /create

This command tells the System account to run the script at the scheduled time, just as it would if you used Group Policy startup scripts to launch the script. With just a little work, you can enumerate the members of the CCM_Office 2007 Deploy group and execute schtasks.exe on those systems.

PsExec is now a recognized—but not “supported”—Microsoft tool (from the company formerly known as Sysinternals). PsExec lets you execute processes on remote systems without having to install client software. It's a favorite of system administrators and can be a boon to the deployment of Office 2007. You can download PsExec at the PsTools site. ( To use PsExec to deploy Office 2007, run the command

psexec \\<computername> "<path to Office 2007 Network Installation Point>\setup.exe"

as well as any setup.exe switches you require. PsExec can be run with the -f filename switch to indicate a plaintext file of computer names, one per line. The command will be run against each system in the file you specify with the -f switch.

By default, PsExec will run with the credentials of the user executing the command. Therefore, if you're the administrator of the remote computer, PsExec will run Office setup.exe successfully. Of course, that’s assuming the remote system has been started and is accessible via the network. You can also use PsExec to execute the Office2007_Deploy.vbs script by running the command

psexec \\computername cscript -s

The -s switch runs the script as the local system, which enables the script to run with sufficient credentials and to make the change to the Members attribute of our groups. If you try to run this script under your credentials, Office will be installed but the change to the group memberships will fail because the computer can't “pass on” your credentials to Active Directory (AD).

The final deployment option enables non-administrative users to install Office 2007 by running Office’s setup.exe command with elevated credentials. You need to encrypt administrative credentials as well as the command itself. To do so, use CPAU, which is a free utility created by Joe Richards and available at ( There are tricks to getting CPAU to work; here are the steps that worked for me.

First, run the following command to create an encoded Runas–like package that will execute the Office2007_Deploy.vbs script:

cpau -u < domain\username> -p < password> -ex "cscript.exe
\\\software\office\INTELLIEM_Setup\Office2007_Deploy.vbs" -enc -file \\\software\office\INTELLIEM_Setup\Office2007_Deploy_CPAU -lwp

Then, create a batch file that will run the package. I named the batch file Office2007_Deploy.bat and placed it in my INTELLIEM_Setup folder. The batch file has only one line, which is

"\\\software\office\INTELLIEM_Setup\cpau.exe" -dec -file
"\\\software\office\INTELLIEM_Setup\Office2007_Deploy_CPAU" -lwp

Finally, place CPAU.exe in the same location as the batch file. Users can now double-click the batch file, which decrypts the CPAU package and launches the script with the specified credentials.

With CPAU, as well as with similar Runas alternatives, you can send the command to a user via email, execute the command as a logon script, or put the command in a shared folder for the user to double-click. CPAU encodes the credentials you provide, which must belong to the local Administrators group. There's an obvious (although unlikely) security risk that a very determined user could figure out the credentials. To address this problem, I recommend creating a user account such as TEMP_Office 2007 Deploy. Then create a Group Policy Object (GPO) that uses the Restricted Groups setting to specify that the user is a member of the local Administrators group. Filter the GPO using the CCM_Office 2007 Deploy group. Doing so will result in all machines to which Office should be installed adding the TEMP_Office 2007 Deploy user account to their local Administrators group. Use that account’s username and password in your CPAU package. When a non-administrative user runs the script, the script removes the computer from the CCM_Office 2007 Deploy group (note that the TEMP_Office2007 Deploy user account must have Allow Write Members permission), so that the GPO no longer applies. The next time the security settings are refreshed (or at the next restart at the latest), the TEMP_Office2007 Deploy account will be removed from the local Administrators group. When Office 2007 deployment is complete, you can disable or delete the TEMP_Office 2007 Deploy user account.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.