Assign MSI through GPO (Computer Configuration)

africates

Hi,

I have an issue with MSI installation through GPO. I thought this way is the easiest way to do this.. but it's not working for me. I have a .msi package which is on my domain controller \\dc\msi\package.msi (i even set up permissions for this folder as Everyone - Allow Full Controll). I have GPO created and linked to OU containing all desktops. MSI should be installed during boot and I'm able to see that windows is trying to install it... but when it is finished I can't see any new software... I checked event viewer and here is what i have there:

Event Type: Error
Event Source: Application Management
Event Category: None
Event ID: 102
Date: 02/03/2009
Time: 19:40:14
User: NT AUTHORITY\SYSTEM
Computer: DESKT123
Description:
The install of application Outlook Connector for MDaemon Plug-in from policy GPO - OutlookConnector - Install failed. The error was : The installation source for this product is not available. Verify that the source exists and that you can access it.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

and then:

Event Type: Information
Event Source: Application Management
Event Category: None
Event ID: 303
Date: 02/03/2009
Time: 19:40:14
User: NT AUTHORITY\SYSTEM
Computer: DESKT123
Description:
The removal of the assignment of application Outlook Connector for MDaemon Plug-in from policy GPO - OutlookConnector - Install succeeded.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


and then:

Event Type: Error
Event Source: Application Management
Event Category: None
Event ID: 108
Date: 02/03/2009
Time: 19:40:14
User: NT AUTHORITY\SYSTEM
Computer: DESKT123
Description:
Failed to apply changes to software installation settings. Software changes could not be applied. A previous log entry with details should exist. The error was : The installation source for this product is not available. Verify that the source exists and that you can access it.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1085
Date: 02/03/2009
Time: 19:40:14
User: NT AUTHORITY\SYSTEM
Computer: DESKT123
Description:
The Group Policy client-side extension Software Installation failed to execute. Please look for any errors reported earlier by that extension.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


I googled this.. and I found that user NT AUTHORITY\SYSTEM has no acces to the Network (???? this is strange because tis is the case to put .msi in network location and install them automatically??). Sorry for laming.. but dou you have any checked solutions/way to install .msi automatically then?

Thanks
aFri

feylya

Can you access the MSI from the client machines manually?

africates

Yes I can.. I have the permissions set up to Allow Full Controll for 'Everyone'

feylya

If you run Resultant Set Of Policies on the client machines, what does it say about the Installation GPO?

africates

I'll try it tommorow. Thanks.

africates

Hi,

This is what I got from 'Group Policy Results'....

Component Status
Component Name Status Last Process Time
Group Policy Infrastructure Success 3/3/2009 7:17:57 AM
EFS recovery Success (no data) 2/20/2009 10:13:13 AM
Registry Success 2/20/2009 10:13:11 AM
Security Success 2/20/2009 10:13:13 AM
Software Installation Pending 3/3/2009 7:17:57 AM
Software Installation did not complete policy processing because a system restart is required for the settings to be applied. Group Policy will attempt to apply the settings the next time the computer is restarted.

Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 3/3/2009 7:17:57 AM and 3/3/2009 7:17:57 AM.

M@21

africates wrote: »

Hi,

This is what I got from 'Group Policy Results'....

Component Status
Component Name Status Last Process Time
Group Policy Infrastructure Success 3/3/2009 7:17:57 AM
EFS recovery Success (no data) 2/20/2009 10:13:13 AM
Registry Success 2/20/2009 10:13:11 AM
Security Success 2/20/2009 10:13:13 AM
Software Installation Pending 3/3/2009 7:17:57 AM
Software Installation did not complete policy processing because a system restart is required for the settings to be applied. Group Policy will attempt to apply the settings the next time the computer is restarted.

Additional information may have been logged. Review the Policy Events tab in the console or the application event log for events between 3/3/2009 7:17:57 AM and 3/3/2009 7:17:57 AM.

Even after a reboot of the client system you are not seeing the program installed?
Is there any evidence of the program within the Programs folder on the system drive on the client machine?

africates

I've reboted the clients many times to check... During booting time I see that client is trying to install software.. but it is not installed for sure... no evidence.. and errors as pasted at the begining of this post. I also checked servicePrincipalName in ADSI on domain controller and everything seems to be fine..... then I login on client machine as an administrator and run console as NT AUTHORITY\SYSTEM user.. I tryied to access msi share on the server with no results (all permissions are set up - i.e read for Domain Computers and Authenticated Users). Still nothing...

M@21

What about obtaining another copy of the MSI file just to make sure it is not corrupt.
Or try publishing the MSI file instead of assigning and see if the process works from the add/remove programs?

Have you assigned other MSI files successfully?

Alzar

Africates,

You've probbaly configured this on your GPO already, but just in case, have you enabled the following in the GPO? It may help in testing if the problem is not at reading the msi from the DP but is actually at not having enough permissions to install the msi on startup:

Computer Config -> Admin Templates -> Windows Installer -> Always Install With elevated privileges -> enabled

Note: This setting appears both in the Computer Configuration and User Configuration folders. To make this setting effective, you must enable the setting in both folders.

From the help:
This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the desktop), assigned to the computer (installed automatically), or made available in Add or Remove Programs in Control Panel. This setting lets users install programs that require access to directories that the user might not have permission to view or change, including directories on highly restricted computers.
If you disable this setting or do not configure it, the system applies the current user's permissions when it installs programs that a system administrator does not distribute or offer.

Don't think it's the above

back to the drawing board.....

HTH
Al.

Alzar

africates wrote: »

I googled this.. and I found that user NT AUTHORITY\SYSTEM has no acces to the Network (???? this is strange because tis is the case to put .msi in network location and install them automatically??). Sorry for laming.. but dou you have any checked solutions/way to install .msi automatically then?

Thanks
aFri

Are you deploying the msi to all pc's? If so, I would setup a new group in AD containing all the pcs that you want to deploy the msi to. I wouldn't use Domain Computers for this as this group contains servers as far as I can remember.

Give this AD group at least read permissions on the share which has the msi.
Also give this AD group read & apply permissions on the GPO too.

Al.

africates

M@21:
I checked this with few msi packages... the same for all of them. I don't want to publish because I'd like to have them installed automatically during boot.

Alzar:
I'm deploying msi to one of OU in AD which contains most of computers in my location.. so GPO is assigned to this OU. Permissions are set up to Domains Computers so it means that my group has the permissions as well. Permissions are set up as you mentioned.

I'll try to set up everything again and I let you know...

Alzar

What if you were to follow this
"How to use Windows Installer and Group Policy to deploy the VPModule.msi in an Active Directory domain"
http://support.microsoft.com/kb/887405 step by step, just replacing VPModule.msi with your *.msi?
Just in case you are missing out on some small part?

here is a KB doc which may help you with the original errors that you posted:
"Packages Assigned to Computers with Group Policy Are Not Installed"
http://support.microsoft.com/kb/278472


Al.

africates

Hi Guys,

Thanks for everybody here.... I have this solved. I missed one thing before... I haven't set up security options for GPO itself to allow read for Domain Computers...

yes I know.. I'm f***** lammer..

Sorry & many thanks !!!

P

Alzar

Glad you got it sorted

Al.

wuitsung

Hi africates!! i think I am having the same problem as you has befroe. Can you tell me where did you change? Thank you..

africates

Hi,

On the folder properties I've set up share permission for Everyone to allow everything.. and in security I've added Authenticated Users to allow them to READ. Also in GPO Properties in Group Policy Editor I've added Authenticated Users to allow them to READ.

best luck
afri

wuitsung

Thank you for your reply. But by default, when you create a share folder, Users already have read permission. -> Users(Domain\users)
*But I noticed "Authenticated users" not here by default. By I think Users(Domain\users) should included "Authenticated users"....

Also in GPO, "Authenticated users" also already in "Delegation" and has read permission. I also checked "Security Filtering", "Authenticated users" also there.


In your AD, when you create a share folder or GPO, by default, none of them are there?

wuitsung

>>Also in GPO, "Authenticated users" also already in "Delegation" and has read permission. I also checked "Security Filtering", "Authenticated users" also there.

i used GPMC. I just removed it and checked again, I have "Authenticated users" there already in sercurity

africates

try to add 'read' permissions everywhere for Domain Computers.. this should solve it.

landog

africates wrote: »

Hi Guys,

I haven't set up security options for GPO itself to allow read for Domain Computers...

The "solution" does not make sense to me. If the Computers were not reading the GPO, why were there entries in the Appliction Event Viewer log that the installation failed? The computers would not try to install the app if they couldn't read the GPO...

africates

Hi! I've no option to simulate this situation now but you can do it if you want... and check it. If I good remember permissions were set up for 'Domain Computers' everywhere except GPO itself. Maybee thats why computers were trying to install packages... but with no luck ?!

jimbob_jones

Hey wuitsung,

I have used this method before and ran into similar problems, is it a Win2k3 Active Directory you are using ?

One thing to check is to make sure that the folder the MSI is in has the correct permissions, and is shared out correctly. Be default a share in w2k3 has everyone read permissions which may not be enough if the msi tries to create temp files in the location.

We created a folder under the SYSVOL to replicate to the other domain controllers on your domain and most machines should be able to read any folder under the sysvol.

If the permissions are correct it should roll-out during reboot.

A word of warning though, when I was testing this I deleted the test gpo that I was using and it caused the software to uninstall from the machine. I think that it is something to do with application self-healing.

Hope this helps

africates

Hi jimbob_jones. I think the problem is solved at all (see date of the post). I replied to landog only because he argued with the solution....
cheers