You can use VPModule.msi to install the Microsoft.Web.ValidatePathModule.dll HttpModule on computers that are running ASP.NET. This article describes the steps needed to use Group Policy to deploy this HttpModule, including: creating a distribution point, creating a Group Policy object for the Microsoft.Web.ValidatePathModule.dll deployments, and deploying the VPModule.msi
The VPModule.msi file installs an HttpModule that is named
Microsoft.Web.ValidatePathModule.dll on target computers. The installation also
updates the Machine.config file or files with a new HttpModule
entry. For additional information
about VPModule.msi, click the following article number to view the article in
the Microsoft Knowledge Base:
HTTP module to check for canonicalization issues with ASP.NET
With VPModule.msi, you can install
Microsoft.Web.ValidatePathModule.dll on computers that are running ASP.NET. If
you are managing computers in an Active Directory directory service
environment, you can use the Software Installation and Maintenance feature of
Group Policy to deploy the VPModule.msi on target computers. This article
describes how to use Windows Installer and Group Policy to install the
VPModule.msi on target computers in a Microsoft Windows 2000 Server or
Microsoft Windows Server 2003 Active Directory domain. This article assumes
that you already know which computers are running ASP.NET in your
Group Policy is the recommended method for managing the
deployment of software for customers who are not already using a corporate
update management solution such as Systems Management Server (SMS) 2003 or
Software Update Services (SUS). For more information about Group Policy, visit
the following Microsoft Web site:
Use Group Policy to assign the VPModule.msi
To use Group Policy to assign the VPModule.msi, follow these
- Create a distribution point.
- Create a Group Policy object (GPO) for VPModule.msi
- Deploy the VPModule.msi file from the shared distribution
folder as machine-assigned.
- If you want to, deploy the VPModule.msi to specific
Target computers, or computers that are to receive the
VPModule.msi, must be joined to the same domain as the server where the Windows
Installer (.msi) file resides. After you assign the package, Windows Installer
automatically installs the VPModule.msi the next time users who are connected
to the network start their computers. We recommend that you inspect the
properties of each computer to make sure that the VPModule.msi update has
completed on the destination computer. You might need to restart a computer
more than one time to complete the update.
Only a network
administrator or someone who is logged on to a local computer as an
administrator can remove the assigned software (that is, the VPModule.msi) from
the destination computer. The procedures identified in this section are
explained in detail in the following sections.
Create a distribution point
To assign software, you must create a distribution point on the
server. To create a distribution point, follow these steps:
- Log on to the server computer as an administrator.
- Create a shared network folder where you are going to put
the VPModule.msi file that you want to distribute. This folder is the
distribution point for the software package.
- Set permissions on the shared network folder to permit
access to the distribution package. Give access permissions to the following:
Optionally, you can configure Distributed File System (DFS)
for the distribution point. We recommended that you do this because it provides
you with more flexibility. It provides more flexibility by ensuring
uninterrupted availability of the distribution point in case you have to
replace the server. In addition, with DFS, it is easier to have distribution
points in multiple sites. For more information about DFS, visit the following
Microsoft Web site:
- Authenticated users
- Domain users
- Copy the VPModule.msi file to the distribution point.
Create a GPO for software deployment
You can create a GPO and link the GPO to any Active Directory
container that contains the target computers to which you want to deploy the
VPModule.msi. For example, an Active Directory container may be a site, a
domain, or an organizational unit (OU). The following instructions direct you
to use a domain as a container and then to use security filtering to target the
GPO to specific computers. For your environment, you might want to link the GPO
to a different container, such as an OU. You can link to any Active Directory
container that you want. Also, you can edit an existing GPO instead of creating
a new GPO just for deploying the VPModule.msi. However, we do not recommend
that you edit the Default Domain Policy or the Default Domain Controllers
Create a GPO for deployment of the VPModule.msi
Use one of the following methods to create a GPO for deployment
of the VPModule.msi.
If you have Group Policy Management Console
(GPMC) installed, follow these steps:
- On an administrative workstation, open the Group Policy
Management Console (GPMC).
- In the console tree, right-click the domain name in the
forest in which you want to create and link a Group Policy object (GPO).
- Click Create and Link a GPO Here.
- In the New GPO dialog box, specify a name
for the new GPO, and then click OK.
If you do not have Group Policy Management Console (GPMC)
installed, follow these steps:
- On a domain controller or administrative workstation, open
Active Directory Users and Computers.
- Locate the OU that contains the computers where you want to
deploy the VPModule.msi.
- Right-click that OU, and then click
- Click the Group Policy tab, and then click
- In the New GPO dialog box, specify a name
for the new GPO, and then click OK.
Edit a GPO for software deployment
After you create a distribution point and create a GPO for
deployment of the VPModule.msi, you must modify the GPO by using the Software
Installation and Maintenance feature of Group Policy. To deploy the
VPModule.msi, you must use the Computer Configuration node in the Group Policy
To edit a GPO for software deployment, follow these
- Right-click the new GPO, and then click
- In Group Policy Object Editor, click Computer
Configuration, click Software Settings, and then
click Software Installation.
- On the Action menu, point to
New, and then click Package.
- In the Open dialog box, type the full
Universal Naming Convention (UNC) path of the shared installer package that you
want to distribute in the File name box. Type this path in the
\\ServerName\SharedFolder\VPModule.msi or \\ServerIP\SharedFolder\VPModule.msiMake sure that you use the UNC path of the shared installer
- Select the Windows Installer package, and then click
- In the Deploy Software dialog box, click
Assigned, and then click OK. The shared
installer package that you selected appears in the right pane of Group Policy
are placeholders for the server name or IP
address of the computer where the shared folder is located.
is a placeholder for the shared folder
that is on the server computer.
Deploy software to specific security groups
You can use security filtering in Group Policy to deploy the
VPModule.msi only to computers that are members of a specific security group.
For example, if you create a GPO at the domain level by using the procedure
that this article describes, you can use security filtering to target the GPO
only to the computers that you want. First, you must create the security group
and add target computers as members.
To create a security group,
follow these steps:
- Right-click the domain or Active Directory container that
you want to target, click New, and then click
- Name the security group.
- Click the Members tab, and then click
- Type the computer names, and then click
Target the VPModule.msi by using security filtering
- In GPMC, double-click Group Policy
- Click the GPO that you want to apply security filtering to.
- In the results pane, click Add on the
- In the Enter the object name to select
box, type the name of the group, the user, or the computer that you want to add
to the security filter, and then click OK.
- If Authenticated Users appears in the
Security Filtering section of the Scope tab,
select this group, and then click Remove. This makes sure that
only members of the group or groups that you added can receive the settings in
The settings in a GPO apply only to the following users and
- Users and computers that are contained in the domain, the
OU, or the OUs where the GPO is linked.
- Users and computers that are specified in Security
Filtering, or that are members of a group that is specified in Security
You can specify multiple groups, users, or computers in the
security filter for a single GPO.
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
How to use Systems Management Server 2003 to deploy the ValidatePath module
Programmatically check for canonicalization issues with ASP.NET
You may receive error messages from Reporting Services after you install the ASP.NET ValidatePath Module
How to use the ASP.NET ValidatePath Module Scanner (VPModuleScanner.js)