Sign in with
Sign up | Sign in
Your question

Deploying an msi application via group policy

Last response: in Windows 2000/NT
Share
Anonymous
June 20, 2005 9:56:01 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi
I am trying to deploy an msi application via group policy to a user group,
but it doesnt seem to be working. The users dont have any rights to the local
machine, do they need to be administrators in order for the application to
install?
any help would be great.

ta
Anonymous
June 21, 2005 3:39:38 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Mikal,

You do not deploy applications via GPO to groups. This is your first
problem! You deploy applications either to user account objects or to
computer account objects which directly reside in the OU ( assuming that we
are talking about this level; it is possible that we are talking about
another level...possibly the Site level? ) to which the GPO has been linked.

You have to make sure that the user account objects ( or computer account
objects, but since you are trying to deploy this to user account
objects.... ) have both the Share and NTFS permissions to the shared folder
in which the .msi file is located.

You have to make sure that you tell Active Directory where the .msi file is
via the UNC method ( \\servername\sharename\file.msi ) and not via a mapped
network drive ( n:\someserver\somefolder\file.msi ).

Now, in reference to my first point: it is possible that you are using
Security Group Filtering. This is - on the Security tab of the GPO itself -
where you would remove the group 'Authenticated Users' from the security and
add your own security group. If you have done this you need to make sure
that this group has both the READ and APPLY GROUP POLICY rights.

What troubleshooting have you done? What would the OS on the clients be?

Also, you need to make sure that your clients are pointing O*N*L*Y to your
internal DNS Servers ( and not to any external DNS Servers - such as your
ISP's ) in their TCP/IP configuration settings.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Mikal" <Mikal@discussions.microsoft.com> wrote in message
news:3EB7FCEF-CC35-44E1-8C46-71B6FF9AF1E5@microsoft.com...
> Hi
> I am trying to deploy an msi application via group policy to a user group,
> but it doesnt seem to be working. The users dont have any rights to the
> local
> machine, do they need to be administrators in order for the application to
> install?
> any help would be great.
>
> ta
Anonymous
June 21, 2005 3:39:39 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Cary thanks for your reply
I should have been a bit more clearer - i am appling the group policy to OU
containers in Active Directory - im am pushing out a logon script to users to
install the msi, the OS is win2k - I am using a login script to push the msi
on win2k machines as if I use group policy it just sits in add/remove
programs

as trouble shooting I have made sure there anre any local policies affecting
installation and have made sure that the msi works (which it does under admin
account) I have run the script (batch file) from the command prompt and that
works fine

I also tried assigning the policy to a machine but this failed too, i'm
assuming it failed as it was unable to get a network connection. hence find
the path of the msi



"Cary Shultz [A.D. MVP]" wrote:

> Mikal,
>
> You do not deploy applications via GPO to groups. This is your first
> problem! You deploy applications either to user account objects or to
> computer account objects which directly reside in the OU ( assuming that we
> are talking about this level; it is possible that we are talking about
> another level...possibly the Site level? ) to which the GPO has been linked.
>
> You have to make sure that the user account objects ( or computer account
> objects, but since you are trying to deploy this to user account
> objects.... ) have both the Share and NTFS permissions to the shared folder
> in which the .msi file is located.
>
> You have to make sure that you tell Active Directory where the .msi file is
> via the UNC method ( \\servername\sharename\file.msi ) and not via a mapped
> network drive ( n:\someserver\somefolder\file.msi ).
>
> Now, in reference to my first point: it is possible that you are using
> Security Group Filtering. This is - on the Security tab of the GPO itself -
> where you would remove the group 'Authenticated Users' from the security and
> add your own security group. If you have done this you need to make sure
> that this group has both the READ and APPLY GROUP POLICY rights.
>
> What troubleshooting have you done? What would the OS on the clients be?
>
> Also, you need to make sure that your clients are pointing O*N*L*Y to your
> internal DNS Servers ( and not to any external DNS Servers - such as your
> ISP's ) in their TCP/IP configuration settings.
>
> --
> Cary W. Shultz
> Roanoke, VA 24012
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "Mikal" <Mikal@discussions.microsoft.com> wrote in message
> news:3EB7FCEF-CC35-44E1-8C46-71B6FF9AF1E5@microsoft.com...
> > Hi
> > I am trying to deploy an msi application via group policy to a user group,
> > but it doesnt seem to be working. The users dont have any rights to the
> > local
> > machine, do they need to be administrators in order for the application to
> > install?
> > any help would be great.
> >
> > ta
>
>
>
Related resources
Anonymous
June 21, 2005 2:14:48 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

If you publish the MSI, it will just sit in add/remove programs waiting for
the user to install it. You need to assign it. You can, however, only
assign MSIs to computer accounts, not to user accounts. Therefore, if you
wish for the program to install itself on startup, you'll need to move the
GPO to an OU that contains the computer accounts, not the user accounts.

--
Hope I've helped some!
Adam Drayer

"Mikal" <Mikal@discussions.microsoft.com> wrote in message
news:3CFF4953-FFAC-4349-8C5C-5A8E3322279A@microsoft.com...
> Hi Cary thanks for your reply
> I should have been a bit more clearer - i am appling the group policy to
OU
> containers in Active Directory - im am pushing out a logon script to users
to
> install the msi, the OS is win2k - I am using a login script to push the
msi
> on win2k machines as if I use group policy it just sits in add/remove
> programs
>
> as trouble shooting I have made sure there anre any local policies
affecting
> installation and have made sure that the msi works (which it does under
admin
> account) I have run the script (batch file) from the command prompt and
that
> works fine
>
> I also tried assigning the policy to a machine but this failed too, i'm
> assuming it failed as it was unable to get a network connection. hence
find
> the path of the msi
>
>
>
> "Cary Shultz [A.D. MVP]" wrote:
>
> > Mikal,
> >
> > You do not deploy applications via GPO to groups. This is your first
> > problem! You deploy applications either to user account objects or to
> > computer account objects which directly reside in the OU ( assuming that
we
> > are talking about this level; it is possible that we are talking about
> > another level...possibly the Site level? ) to which the GPO has been
linked.
> >
> > You have to make sure that the user account objects ( or computer
account
> > objects, but since you are trying to deploy this to user account
> > objects.... ) have both the Share and NTFS permissions to the shared
folder
> > in which the .msi file is located.
> >
> > You have to make sure that you tell Active Directory where the .msi file
is
> > via the UNC method ( \\servername\sharename\file.msi ) and not via a
mapped
> > network drive ( n:\someserver\somefolder\file.msi ).
> >
> > Now, in reference to my first point: it is possible that you are using
> > Security Group Filtering. This is - on the Security tab of the GPO
itself -
> > where you would remove the group 'Authenticated Users' from the security
and
> > add your own security group. If you have done this you need to make
sure
> > that this group has both the READ and APPLY GROUP POLICY rights.
> >
> > What troubleshooting have you done? What would the OS on the clients
be?
> >
> > Also, you need to make sure that your clients are pointing O*N*L*Y to
your
> > internal DNS Servers ( and not to any external DNS Servers - such as
your
> > ISP's ) in their TCP/IP configuration settings.
> >
> > --
> > Cary W. Shultz
> > Roanoke, VA 24012
> > Microsoft Active Directory MVP
> >
> > http://www.activedirectory-win2000.com
> > http://www.grouppolicy-win2000.com
> >
> >
> >
> > "Mikal" <Mikal@discussions.microsoft.com> wrote in message
> > news:3EB7FCEF-CC35-44E1-8C46-71B6FF9AF1E5@microsoft.com...
> > > Hi
> > > I am trying to deploy an msi application via group policy to a user
group,
> > > but it doesnt seem to be working. The users dont have any rights to
the
> > > local
> > > machine, do they need to be administrators in order for the
application to
> > > install?
> > > any help would be great.
> > >
> > > ta
> >
> >
> >
Anonymous
June 21, 2005 11:10:44 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Adam,

I would like to respectfully disagree with what you have written....well, in
part.

You can indeed publish and assign GPOs to user account objects while you can
O*N*L*Y assign GPOs to computer account objects. When you assign the
application via GPO to the user account side then it will be automagically
installed ( assuming that everything is in place ) when the user logs on.
When you assign the application via GPO to the computer account side then it
will be automagically installed when the computer reboots. However, when
you publish the application via GPO to the user side ( NOTE: this is not
available to the computer side ) then the application will appear in the
Add/Remove Software and will only be installed once the user goes there and
selects it.

So, the original poster can keep the software GPO on the user side and
either assign it or publish it. Were the original poster to move it to the
computer side then he would have but one choice - to assign it.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Adam Drayer" <spam@pragerNOSPAMfenton.com> wrote in message
news:%23pKoWumdFHA.3040@TK2MSFTNGP14.phx.gbl...
> If you publish the MSI, it will just sit in add/remove programs waiting
> for
> the user to install it. You need to assign it. You can, however, only
> assign MSIs to computer accounts, not to user accounts. Therefore, if you
> wish for the program to install itself on startup, you'll need to move the
> GPO to an OU that contains the computer accounts, not the user accounts.
>
> --
> Hope I've helped some!
> Adam Drayer
>
> "Mikal" <Mikal@discussions.microsoft.com> wrote in message
> news:3CFF4953-FFAC-4349-8C5C-5A8E3322279A@microsoft.com...
>> Hi Cary thanks for your reply
>> I should have been a bit more clearer - i am appling the group policy to
> OU
>> containers in Active Directory - im am pushing out a logon script to
>> users
> to
>> install the msi, the OS is win2k - I am using a login script to push the
> msi
>> on win2k machines as if I use group policy it just sits in add/remove
>> programs
>>
>> as trouble shooting I have made sure there anre any local policies
> affecting
>> installation and have made sure that the msi works (which it does under
> admin
>> account) I have run the script (batch file) from the command prompt and
> that
>> works fine
>>
>> I also tried assigning the policy to a machine but this failed too, i'm
>> assuming it failed as it was unable to get a network connection. hence
> find
>> the path of the msi
>>
>>
>>
>> "Cary Shultz [A.D. MVP]" wrote:
>>
>> > Mikal,
>> >
>> > You do not deploy applications via GPO to groups. This is your first
>> > problem! You deploy applications either to user account objects or to
>> > computer account objects which directly reside in the OU ( assuming
>> > that
> we
>> > are talking about this level; it is possible that we are talking about
>> > another level...possibly the Site level? ) to which the GPO has been
> linked.
>> >
>> > You have to make sure that the user account objects ( or computer
> account
>> > objects, but since you are trying to deploy this to user account
>> > objects.... ) have both the Share and NTFS permissions to the shared
> folder
>> > in which the .msi file is located.
>> >
>> > You have to make sure that you tell Active Directory where the .msi
>> > file
> is
>> > via the UNC method ( \\servername\sharename\file.msi ) and not via a
> mapped
>> > network drive ( n:\someserver\somefolder\file.msi ).
>> >
>> > Now, in reference to my first point: it is possible that you are using
>> > Security Group Filtering. This is - on the Security tab of the GPO
> itself -
>> > where you would remove the group 'Authenticated Users' from the
>> > security
> and
>> > add your own security group. If you have done this you need to make
> sure
>> > that this group has both the READ and APPLY GROUP POLICY rights.
>> >
>> > What troubleshooting have you done? What would the OS on the clients
> be?
>> >
>> > Also, you need to make sure that your clients are pointing O*N*L*Y to
> your
>> > internal DNS Servers ( and not to any external DNS Servers - such as
> your
>> > ISP's ) in their TCP/IP configuration settings.
>> >
>> > --
>> > Cary W. Shultz
>> > Roanoke, VA 24012
>> > Microsoft Active Directory MVP
>> >
>> > http://www.activedirectory-win2000.com
>> > http://www.grouppolicy-win2000.com
>> >
>> >
>> >
>> > "Mikal" <Mikal@discussions.microsoft.com> wrote in message
>> > news:3EB7FCEF-CC35-44E1-8C46-71B6FF9AF1E5@microsoft.com...
>> > > Hi
>> > > I am trying to deploy an msi application via group policy to a user
> group,
>> > > but it doesnt seem to be working. The users dont have any rights to
> the
>> > > local
>> > > machine, do they need to be administrators in order for the
> application to
>> > > install?
>> > > any help would be great.
>> > >
>> > > ta
>> >
>> >
>> >
>
>
Anonymous
June 21, 2005 11:12:46 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Mikal,

I am sorry but I am still confused with what it is exactly that you have
tried.

What is the application that you are trying to deploy via Group Policy?
Does it come with a 'native' .msi file? or are you creating a .msi file (
there are several ways )?

Not sure that pushing it out via logon script is the correct way! But that
all depends on what you are trying to install.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Mikal" <Mikal@discussions.microsoft.com> wrote in message
news:3CFF4953-FFAC-4349-8C5C-5A8E3322279A@microsoft.com...
> Hi Cary thanks for your reply
> I should have been a bit more clearer - i am appling the group policy to
> OU
> containers in Active Directory - im am pushing out a logon script to users
> to
> install the msi, the OS is win2k - I am using a login script to push the
> msi
> on win2k machines as if I use group policy it just sits in add/remove
> programs
>
> as trouble shooting I have made sure there anre any local policies
> affecting
> installation and have made sure that the msi works (which it does under
> admin
> account) I have run the script (batch file) from the command prompt and
> that
> works fine
>
> I also tried assigning the policy to a machine but this failed too, i'm
> assuming it failed as it was unable to get a network connection. hence
> find
> the path of the msi
>
>
>
> "Cary Shultz [A.D. MVP]" wrote:
>
>> Mikal,
>>
>> You do not deploy applications via GPO to groups. This is your first
>> problem! You deploy applications either to user account objects or to
>> computer account objects which directly reside in the OU ( assuming that
>> we
>> are talking about this level; it is possible that we are talking about
>> another level...possibly the Site level? ) to which the GPO has been
>> linked.
>>
>> You have to make sure that the user account objects ( or computer account
>> objects, but since you are trying to deploy this to user account
>> objects.... ) have both the Share and NTFS permissions to the shared
>> folder
>> in which the .msi file is located.
>>
>> You have to make sure that you tell Active Directory where the .msi file
>> is
>> via the UNC method ( \\servername\sharename\file.msi ) and not via a
>> mapped
>> network drive ( n:\someserver\somefolder\file.msi ).
>>
>> Now, in reference to my first point: it is possible that you are using
>> Security Group Filtering. This is - on the Security tab of the GPO
>> itself -
>> where you would remove the group 'Authenticated Users' from the security
>> and
>> add your own security group. If you have done this you need to make sure
>> that this group has both the READ and APPLY GROUP POLICY rights.
>>
>> What troubleshooting have you done? What would the OS on the clients be?
>>
>> Also, you need to make sure that your clients are pointing O*N*L*Y to
>> your
>> internal DNS Servers ( and not to any external DNS Servers - such as your
>> ISP's ) in their TCP/IP configuration settings.
>>
>> --
>> Cary W. Shultz
>> Roanoke, VA 24012
>> Microsoft Active Directory MVP
>>
>> http://www.activedirectory-win2000.com
>> http://www.grouppolicy-win2000.com
>>
>>
>>
>> "Mikal" <Mikal@discussions.microsoft.com> wrote in message
>> news:3EB7FCEF-CC35-44E1-8C46-71B6FF9AF1E5@microsoft.com...
>> > Hi
>> > I am trying to deploy an msi application via group policy to a user
>> > group,
>> > but it doesnt seem to be working. The users dont have any rights to the
>> > local
>> > machine, do they need to be administrators in order for the application
>> > to
>> > install?
>> > any help would be great.
>> >
>> > ta
>>
>>
>>
Anonymous
June 21, 2005 11:12:47 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Cary
thanks for your help on this
What I am trying to do is to deploy trend office scan to various PC's on an
Active Directory network. the PC's are running both windows XP and windows
2000. Trend office scan has a tool for creating a MSI - I have used this tool
and have run the MSI on a local PC logged in as administrator and it works.
When I go to assign the MSI to a computer through group policy it doesnt
work - I'm assiming its because the computer is unable to find the path which
in my case is eg \\server\data\file.msi when i assign it to a user i get a
message saying that the user doesnt have rights to install the application so
I'm assuming that the user needs to be an administrator
so i guess what I want to know is if u assign a policy to deploy a msi to a
user should it deploy regardless of user rights on the local machine?
(regardless of OS win2k or XP) cause at the moment it doesnt seem to be
working

"Cary Shultz [A.D. MVP]" wrote:

> Mikal,
>
> I am sorry but I am still confused with what it is exactly that you have
> tried.
>
> What is the application that you are trying to deploy via Group Policy?
> Does it come with a 'native' .msi file? or are you creating a .msi file (
> there are several ways )?
>
> Not sure that pushing it out via logon script is the correct way! But that
> all depends on what you are trying to install.
>
> --
> Cary W. Shultz
> Roanoke, VA 24012
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "Mikal" <Mikal@discussions.microsoft.com> wrote in message
> news:3CFF4953-FFAC-4349-8C5C-5A8E3322279A@microsoft.com...
> > Hi Cary thanks for your reply
> > I should have been a bit more clearer - i am appling the group policy to
> > OU
> > containers in Active Directory - im am pushing out a logon script to users
> > to
> > install the msi, the OS is win2k - I am using a login script to push the
> > msi
> > on win2k machines as if I use group policy it just sits in add/remove
> > programs
> >
> > as trouble shooting I have made sure there anre any local policies
> > affecting
> > installation and have made sure that the msi works (which it does under
> > admin
> > account) I have run the script (batch file) from the command prompt and
> > that
> > works fine
> >
> > I also tried assigning the policy to a machine but this failed too, i'm
> > assuming it failed as it was unable to get a network connection. hence
> > find
> > the path of the msi
> >
> >
> >
> > "Cary Shultz [A.D. MVP]" wrote:
> >
> >> Mikal,
> >>
> >> You do not deploy applications via GPO to groups. This is your first
> >> problem! You deploy applications either to user account objects or to
> >> computer account objects which directly reside in the OU ( assuming that
> >> we
> >> are talking about this level; it is possible that we are talking about
> >> another level...possibly the Site level? ) to which the GPO has been
> >> linked.
> >>
> >> You have to make sure that the user account objects ( or computer account
> >> objects, but since you are trying to deploy this to user account
> >> objects.... ) have both the Share and NTFS permissions to the shared
> >> folder
> >> in which the .msi file is located.
> >>
> >> You have to make sure that you tell Active Directory where the .msi file
> >> is
> >> via the UNC method ( \\servername\sharename\file.msi ) and not via a
> >> mapped
> >> network drive ( n:\someserver\somefolder\file.msi ).
> >>
> >> Now, in reference to my first point: it is possible that you are using
> >> Security Group Filtering. This is - on the Security tab of the GPO
> >> itself -
> >> where you would remove the group 'Authenticated Users' from the security
> >> and
> >> add your own security group. If you have done this you need to make sure
> >> that this group has both the READ and APPLY GROUP POLICY rights.
> >>
> >> What troubleshooting have you done? What would the OS on the clients be?
> >>
> >> Also, you need to make sure that your clients are pointing O*N*L*Y to
> >> your
> >> internal DNS Servers ( and not to any external DNS Servers - such as your
> >> ISP's ) in their TCP/IP configuration settings.
> >>
> >> --
> >> Cary W. Shultz
> >> Roanoke, VA 24012
> >> Microsoft Active Directory MVP
> >>
> >> http://www.activedirectory-win2000.com
> >> http://www.grouppolicy-win2000.com
> >>
> >>
> >>
> >> "Mikal" <Mikal@discussions.microsoft.com> wrote in message
> >> news:3EB7FCEF-CC35-44E1-8C46-71B6FF9AF1E5@microsoft.com...
> >> > Hi
> >> > I am trying to deploy an msi application via group policy to a user
> >> > group,
> >> > but it doesnt seem to be working. The users dont have any rights to the
> >> > local
> >> > machine, do they need to be administrators in order for the application
> >> > to
> >> > install?
> >> > any help would be great.
> >> >
> >> > ta
> >>
> >>
> >>
>
>
>
Anonymous
June 22, 2005 1:25:45 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Mikal,

Does Trend Micro not have a built-in ability to push the client software
down to the computers? Thus, there should be no need to use GPO at all,
right?

Now, assuming that you are using a version with which I am not familiar (
more than probable ) I would suggest that this would be something that you
would be deploying to the computer side of things! This would make the most
sense to me. It really has nothing to do with the user side of things at
all so I do not see the rationale for using the user side.

Assuming that Trend Micro does not have the ability to push the client
software down to the computers I would suggest linking this GPO to the OU
that contains the computer account objects.

What version of Trend Micro are you using? Have you contacted their support
team for help deploying this. It is a really nice piece of software that
does a lot of things well.....

And you are most welcome for any help that I might be able to give you.
Always glad to help!

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Mikal" <Mikal@discussions.microsoft.com> wrote in message
news:FCB48EF3-4058-4B13-B566-0670F7C0708A@microsoft.com...
> Hi Cary
> thanks for your help on this
> What I am trying to do is to deploy trend office scan to various PC's on
> an
> Active Directory network. the PC's are running both windows XP and windows
> 2000. Trend office scan has a tool for creating a MSI - I have used this
> tool
> and have run the MSI on a local PC logged in as administrator and it
> works.
> When I go to assign the MSI to a computer through group policy it doesnt
> work - I'm assiming its because the computer is unable to find the path
> which
> in my case is eg \\server\data\file.msi when i assign it to a user i get a
> message saying that the user doesnt have rights to install the application
> so
> I'm assuming that the user needs to be an administrator
> so i guess what I want to know is if u assign a policy to deploy a msi to
> a
> user should it deploy regardless of user rights on the local machine?
> (regardless of OS win2k or XP) cause at the moment it doesnt seem to be
> working
>
> "Cary Shultz [A.D. MVP]" wrote:
>
>> Mikal,
>>
>> I am sorry but I am still confused with what it is exactly that you have
>> tried.
>>
>> What is the application that you are trying to deploy via Group Policy?
>> Does it come with a 'native' .msi file? or are you creating a .msi file
>> (
>> there are several ways )?
>>
>> Not sure that pushing it out via logon script is the correct way! But
>> that
>> all depends on what you are trying to install.
>>
>> --
>> Cary W. Shultz
>> Roanoke, VA 24012
>> Microsoft Active Directory MVP
>>
>> http://www.activedirectory-win2000.com
>> http://www.grouppolicy-win2000.com
>>
>>
>>
>> "Mikal" <Mikal@discussions.microsoft.com> wrote in message
>> news:3CFF4953-FFAC-4349-8C5C-5A8E3322279A@microsoft.com...
>> > Hi Cary thanks for your reply
>> > I should have been a bit more clearer - i am appling the group policy
>> > to
>> > OU
>> > containers in Active Directory - im am pushing out a logon script to
>> > users
>> > to
>> > install the msi, the OS is win2k - I am using a login script to push
>> > the
>> > msi
>> > on win2k machines as if I use group policy it just sits in add/remove
>> > programs
>> >
>> > as trouble shooting I have made sure there anre any local policies
>> > affecting
>> > installation and have made sure that the msi works (which it does under
>> > admin
>> > account) I have run the script (batch file) from the command prompt and
>> > that
>> > works fine
>> >
>> > I also tried assigning the policy to a machine but this failed too, i'm
>> > assuming it failed as it was unable to get a network connection. hence
>> > find
>> > the path of the msi
>> >
>> >
>> >
>> > "Cary Shultz [A.D. MVP]" wrote:
>> >
>> >> Mikal,
>> >>
>> >> You do not deploy applications via GPO to groups. This is your first
>> >> problem! You deploy applications either to user account objects or to
>> >> computer account objects which directly reside in the OU ( assuming
>> >> that
>> >> we
>> >> are talking about this level; it is possible that we are talking about
>> >> another level...possibly the Site level? ) to which the GPO has been
>> >> linked.
>> >>
>> >> You have to make sure that the user account objects ( or computer
>> >> account
>> >> objects, but since you are trying to deploy this to user account
>> >> objects.... ) have both the Share and NTFS permissions to the shared
>> >> folder
>> >> in which the .msi file is located.
>> >>
>> >> You have to make sure that you tell Active Directory where the .msi
>> >> file
>> >> is
>> >> via the UNC method ( \\servername\sharename\file.msi ) and not via a
>> >> mapped
>> >> network drive ( n:\someserver\somefolder\file.msi ).
>> >>
>> >> Now, in reference to my first point: it is possible that you are using
>> >> Security Group Filtering. This is - on the Security tab of the GPO
>> >> itself -
>> >> where you would remove the group 'Authenticated Users' from the
>> >> security
>> >> and
>> >> add your own security group. If you have done this you need to make
>> >> sure
>> >> that this group has both the READ and APPLY GROUP POLICY rights.
>> >>
>> >> What troubleshooting have you done? What would the OS on the clients
>> >> be?
>> >>
>> >> Also, you need to make sure that your clients are pointing O*N*L*Y to
>> >> your
>> >> internal DNS Servers ( and not to any external DNS Servers - such as
>> >> your
>> >> ISP's ) in their TCP/IP configuration settings.
>> >>
>> >> --
>> >> Cary W. Shultz
>> >> Roanoke, VA 24012
>> >> Microsoft Active Directory MVP
>> >>
>> >> http://www.activedirectory-win2000.com
>> >> http://www.grouppolicy-win2000.com
>> >>
>> >>
>> >>
>> >> "Mikal" <Mikal@discussions.microsoft.com> wrote in message
>> >> news:3EB7FCEF-CC35-44E1-8C46-71B6FF9AF1E5@microsoft.com...
>> >> > Hi
>> >> > I am trying to deploy an msi application via group policy to a user
>> >> > group,
>> >> > but it doesnt seem to be working. The users dont have any rights to
>> >> > the
>> >> > local
>> >> > machine, do they need to be administrators in order for the
>> >> > application
>> >> > to
>> >> > install?
>> >> > any help would be great.
>> >> >
>> >> > ta
>> >>
>> >>
>> >>
>>
>>
>>
Anonymous
June 22, 2005 1:25:46 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks again cary

when I assign the policy to computer accounts it doesnt work, when I check
event viewer it says that the netowrk path could not be found - I'm assuming
this is becuase the network card hasnt kicked in yet while the computer
script is running?
is this normal?

I am using trend 7.0 and yes you are righ it does have a deploy tool, but im
required to login as an admin when I deploy it - however i do need to need to
investigate this further?

ta

"Cary Shultz [A.D. MVP]" wrote:

> Mikal,
>
> Does Trend Micro not have a built-in ability to push the client software
> down to the computers? Thus, there should be no need to use GPO at all,
> right?
>
> Now, assuming that you are using a version with which I am not familiar (
> more than probable ) I would suggest that this would be something that you
> would be deploying to the computer side of things! This would make the most
> sense to me. It really has nothing to do with the user side of things at
> all so I do not see the rationale for using the user side.
>
> Assuming that Trend Micro does not have the ability to push the client
> software down to the computers I would suggest linking this GPO to the OU
> that contains the computer account objects.
>
> What version of Trend Micro are you using? Have you contacted their support
> team for help deploying this. It is a really nice piece of software that
> does a lot of things well.....
>
> And you are most welcome for any help that I might be able to give you.
> Always glad to help!
>
> --
> Cary W. Shultz
> Roanoke, VA 24012
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "Mikal" <Mikal@discussions.microsoft.com> wrote in message
> news:FCB48EF3-4058-4B13-B566-0670F7C0708A@microsoft.com...
> > Hi Cary
> > thanks for your help on this
> > What I am trying to do is to deploy trend office scan to various PC's on
> > an
> > Active Directory network. the PC's are running both windows XP and windows
> > 2000. Trend office scan has a tool for creating a MSI - I have used this
> > tool
> > and have run the MSI on a local PC logged in as administrator and it
> > works.
> > When I go to assign the MSI to a computer through group policy it doesnt
> > work - I'm assiming its because the computer is unable to find the path
> > which
> > in my case is eg \\server\data\file.msi when i assign it to a user i get a
> > message saying that the user doesnt have rights to install the application
> > so
> > I'm assuming that the user needs to be an administrator
> > so i guess what I want to know is if u assign a policy to deploy a msi to
> > a
> > user should it deploy regardless of user rights on the local machine?
> > (regardless of OS win2k or XP) cause at the moment it doesnt seem to be
> > working
> >
> > "Cary Shultz [A.D. MVP]" wrote:
> >
> >> Mikal,
> >>
> >> I am sorry but I am still confused with what it is exactly that you have
> >> tried.
> >>
> >> What is the application that you are trying to deploy via Group Policy?
> >> Does it come with a 'native' .msi file? or are you creating a .msi file
> >> (
> >> there are several ways )?
> >>
> >> Not sure that pushing it out via logon script is the correct way! But
> >> that
> >> all depends on what you are trying to install.
> >>
> >> --
> >> Cary W. Shultz
> >> Roanoke, VA 24012
> >> Microsoft Active Directory MVP
> >>
> >> http://www.activedirectory-win2000.com
> >> http://www.grouppolicy-win2000.com
> >>
> >>
> >>
> >> "Mikal" <Mikal@discussions.microsoft.com> wrote in message
> >> news:3CFF4953-FFAC-4349-8C5C-5A8E3322279A@microsoft.com...
> >> > Hi Cary thanks for your reply
> >> > I should have been a bit more clearer - i am appling the group policy
> >> > to
> >> > OU
> >> > containers in Active Directory - im am pushing out a logon script to
> >> > users
> >> > to
> >> > install the msi, the OS is win2k - I am using a login script to push
> >> > the
> >> > msi
> >> > on win2k machines as if I use group policy it just sits in add/remove
> >> > programs
> >> >
> >> > as trouble shooting I have made sure there anre any local policies
> >> > affecting
> >> > installation and have made sure that the msi works (which it does under
> >> > admin
> >> > account) I have run the script (batch file) from the command prompt and
> >> > that
> >> > works fine
> >> >
> >> > I also tried assigning the policy to a machine but this failed too, i'm
> >> > assuming it failed as it was unable to get a network connection. hence
> >> > find
> >> > the path of the msi
> >> >
> >> >
> >> >
> >> > "Cary Shultz [A.D. MVP]" wrote:
> >> >
> >> >> Mikal,
> >> >>
> >> >> You do not deploy applications via GPO to groups. This is your first
> >> >> problem! You deploy applications either to user account objects or to
> >> >> computer account objects which directly reside in the OU ( assuming
> >> >> that
> >> >> we
> >> >> are talking about this level; it is possible that we are talking about
> >> >> another level...possibly the Site level? ) to which the GPO has been
> >> >> linked.
> >> >>
> >> >> You have to make sure that the user account objects ( or computer
> >> >> account
> >> >> objects, but since you are trying to deploy this to user account
> >> >> objects.... ) have both the Share and NTFS permissions to the shared
> >> >> folder
> >> >> in which the .msi file is located.
> >> >>
> >> >> You have to make sure that you tell Active Directory where the .msi
> >> >> file
> >> >> is
> >> >> via the UNC method ( \\servername\sharename\file.msi ) and not via a
> >> >> mapped
> >> >> network drive ( n:\someserver\somefolder\file.msi ).
> >> >>
> >> >> Now, in reference to my first point: it is possible that you are using
> >> >> Security Group Filtering. This is - on the Security tab of the GPO
> >> >> itself -
> >> >> where you would remove the group 'Authenticated Users' from the
> >> >> security
> >> >> and
> >> >> add your own security group. If you have done this you need to make
> >> >> sure
> >> >> that this group has both the READ and APPLY GROUP POLICY rights.
> >> >>
> >> >> What troubleshooting have you done? What would the OS on the clients
> >> >> be?
> >> >>
> >> >> Also, you need to make sure that your clients are pointing O*N*L*Y to
> >> >> your
> >> >> internal DNS Servers ( and not to any external DNS Servers - such as
> >> >> your
> >> >> ISP's ) in their TCP/IP configuration settings.
> >> >>
> >> >> --
> >> >> Cary W. Shultz
> >> >> Roanoke, VA 24012
> >> >> Microsoft Active Directory MVP
> >> >>
> >> >> http://www.activedirectory-win2000.com
> >> >> http://www.grouppolicy-win2000.com
> >> >>
> >> >>
> >> >>
> >> >> "Mikal" <Mikal@discussions.microsoft.com> wrote in message
> >> >> news:3EB7FCEF-CC35-44E1-8C46-71B6FF9AF1E5@microsoft.com...
> >> >> > Hi
> >> >> > I am trying to deploy an msi application via group policy to a user
> >> >> > group,
> >> >> > but it doesnt seem to be working. The users dont have any rights to
> >> >> > the
> >> >> > local
> >> >> > machine, do they need to be administrators in order for the
> >> >> > application
> >> >> > to
> >> >> > install?
> >> >> > any help would be great.
> >> >> >
> >> >> > ta
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
Anonymous
June 22, 2005 1:51:19 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

No problem!

Have you tried running it as a start up script instead of a logon script?
That might make more sense, assuming that you are going to not use the
built-in ability ( not sure why you would not do that, but this is your
baby, not mine! ). I might strongly suggest that you get on the phone with
the Support Team at Trend Micro and figure out how to use it 'the right
way'. Sorry, that is a bit judgmental on my part. But, it will really help
you out and reduce your 'Administrative Overhead'.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Mikal" <Mikal@discussions.microsoft.com> wrote in message
news:87734EA8-6775-44F0-A522-3F52DF3A9DBB@microsoft.com...
> Thanks again cary
>
> when I assign the policy to computer accounts it doesnt work, when I check
> event viewer it says that the netowrk path could not be found - I'm
> assuming
> this is becuase the network card hasnt kicked in yet while the computer
> script is running?
> is this normal?
>
> I am using trend 7.0 and yes you are righ it does have a deploy tool, but
> im
> required to login as an admin when I deploy it - however i do need to need
> to
> investigate this further?
>
> ta
>
> "Cary Shultz [A.D. MVP]" wrote:
>
>> Mikal,
>>
>> Does Trend Micro not have a built-in ability to push the client software
>> down to the computers? Thus, there should be no need to use GPO at all,
>> right?
>>
>> Now, assuming that you are using a version with which I am not familiar (
>> more than probable ) I would suggest that this would be something that
>> you
>> would be deploying to the computer side of things! This would make the
>> most
>> sense to me. It really has nothing to do with the user side of things at
>> all so I do not see the rationale for using the user side.
>>
>> Assuming that Trend Micro does not have the ability to push the client
>> software down to the computers I would suggest linking this GPO to the OU
>> that contains the computer account objects.
>>
>> What version of Trend Micro are you using? Have you contacted their
>> support
>> team for help deploying this. It is a really nice piece of software that
>> does a lot of things well.....
>>
>> And you are most welcome for any help that I might be able to give you.
>> Always glad to help!
>>
>> --
>> Cary W. Shultz
>> Roanoke, VA 24012
>> Microsoft Active Directory MVP
>>
>> http://www.activedirectory-win2000.com
>> http://www.grouppolicy-win2000.com
>>
>>
>>
>> "Mikal" <Mikal@discussions.microsoft.com> wrote in message
>> news:FCB48EF3-4058-4B13-B566-0670F7C0708A@microsoft.com...
>> > Hi Cary
>> > thanks for your help on this
>> > What I am trying to do is to deploy trend office scan to various PC's
>> > on
>> > an
>> > Active Directory network. the PC's are running both windows XP and
>> > windows
>> > 2000. Trend office scan has a tool for creating a MSI - I have used
>> > this
>> > tool
>> > and have run the MSI on a local PC logged in as administrator and it
>> > works.
>> > When I go to assign the MSI to a computer through group policy it
>> > doesnt
>> > work - I'm assiming its because the computer is unable to find the path
>> > which
>> > in my case is eg \\server\data\file.msi when i assign it to a user i
>> > get a
>> > message saying that the user doesnt have rights to install the
>> > application
>> > so
>> > I'm assuming that the user needs to be an administrator
>> > so i guess what I want to know is if u assign a policy to deploy a msi
>> > to
>> > a
>> > user should it deploy regardless of user rights on the local machine?
>> > (regardless of OS win2k or XP) cause at the moment it doesnt seem to be
>> > working
>> >
>> > "Cary Shultz [A.D. MVP]" wrote:
>> >
>> >> Mikal,
>> >>
>> >> I am sorry but I am still confused with what it is exactly that you
>> >> have
>> >> tried.
>> >>
>> >> What is the application that you are trying to deploy via Group
>> >> Policy?
>> >> Does it come with a 'native' .msi file? or are you creating a .msi
>> >> file
>> >> (
>> >> there are several ways )?
>> >>
>> >> Not sure that pushing it out via logon script is the correct way! But
>> >> that
>> >> all depends on what you are trying to install.
>> >>
>> >> --
>> >> Cary W. Shultz
>> >> Roanoke, VA 24012
>> >> Microsoft Active Directory MVP
>> >>
>> >> http://www.activedirectory-win2000.com
>> >> http://www.grouppolicy-win2000.com
>> >>
>> >>
>> >>
>> >> "Mikal" <Mikal@discussions.microsoft.com> wrote in message
>> >> news:3CFF4953-FFAC-4349-8C5C-5A8E3322279A@microsoft.com...
>> >> > Hi Cary thanks for your reply
>> >> > I should have been a bit more clearer - i am appling the group
>> >> > policy
>> >> > to
>> >> > OU
>> >> > containers in Active Directory - im am pushing out a logon script to
>> >> > users
>> >> > to
>> >> > install the msi, the OS is win2k - I am using a login script to push
>> >> > the
>> >> > msi
>> >> > on win2k machines as if I use group policy it just sits in
>> >> > add/remove
>> >> > programs
>> >> >
>> >> > as trouble shooting I have made sure there anre any local policies
>> >> > affecting
>> >> > installation and have made sure that the msi works (which it does
>> >> > under
>> >> > admin
>> >> > account) I have run the script (batch file) from the command prompt
>> >> > and
>> >> > that
>> >> > works fine
>> >> >
>> >> > I also tried assigning the policy to a machine but this failed too,
>> >> > i'm
>> >> > assuming it failed as it was unable to get a network connection.
>> >> > hence
>> >> > find
>> >> > the path of the msi
>> >> >
>> >> >
>> >> >
>> >> > "Cary Shultz [A.D. MVP]" wrote:
>> >> >
>> >> >> Mikal,
>> >> >>
>> >> >> You do not deploy applications via GPO to groups. This is your
>> >> >> first
>> >> >> problem! You deploy applications either to user account objects or
>> >> >> to
>> >> >> computer account objects which directly reside in the OU ( assuming
>> >> >> that
>> >> >> we
>> >> >> are talking about this level; it is possible that we are talking
>> >> >> about
>> >> >> another level...possibly the Site level? ) to which the GPO has
>> >> >> been
>> >> >> linked.
>> >> >>
>> >> >> You have to make sure that the user account objects ( or computer
>> >> >> account
>> >> >> objects, but since you are trying to deploy this to user account
>> >> >> objects.... ) have both the Share and NTFS permissions to the
>> >> >> shared
>> >> >> folder
>> >> >> in which the .msi file is located.
>> >> >>
>> >> >> You have to make sure that you tell Active Directory where the .msi
>> >> >> file
>> >> >> is
>> >> >> via the UNC method ( \\servername\sharename\file.msi ) and not via
>> >> >> a
>> >> >> mapped
>> >> >> network drive ( n:\someserver\somefolder\file.msi ).
>> >> >>
>> >> >> Now, in reference to my first point: it is possible that you are
>> >> >> using
>> >> >> Security Group Filtering. This is - on the Security tab of the GPO
>> >> >> itself -
>> >> >> where you would remove the group 'Authenticated Users' from the
>> >> >> security
>> >> >> and
>> >> >> add your own security group. If you have done this you need to
>> >> >> make
>> >> >> sure
>> >> >> that this group has both the READ and APPLY GROUP POLICY rights.
>> >> >>
>> >> >> What troubleshooting have you done? What would the OS on the
>> >> >> clients
>> >> >> be?
>> >> >>
>> >> >> Also, you need to make sure that your clients are pointing O*N*L*Y
>> >> >> to
>> >> >> your
>> >> >> internal DNS Servers ( and not to any external DNS Servers - such
>> >> >> as
>> >> >> your
>> >> >> ISP's ) in their TCP/IP configuration settings.
>> >> >>
>> >> >> --
>> >> >> Cary W. Shultz
>> >> >> Roanoke, VA 24012
>> >> >> Microsoft Active Directory MVP
>> >> >>
>> >> >> http://www.activedirectory-win2000.com
>> >> >> http://www.grouppolicy-win2000.com
>> >> >>
>> >> >>
>> >> >>
>> >> >> "Mikal" <Mikal@discussions.microsoft.com> wrote in message
>> >> >> news:3EB7FCEF-CC35-44E1-8C46-71B6FF9AF1E5@microsoft.com...
>> >> >> > Hi
>> >> >> > I am trying to deploy an msi application via group policy to a
>> >> >> > user
>> >> >> > group,
>> >> >> > but it doesnt seem to be working. The users dont have any rights
>> >> >> > to
>> >> >> > the
>> >> >> > local
>> >> >> > machine, do they need to be administrators in order for the
>> >> >> > application
>> >> >> > to
>> >> >> > install?
>> >> >> > any help would be great.
>> >> >> >
>> >> >> > ta
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>
Anonymous
June 22, 2005 1:51:20 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks Cary for all your help

I think I will give Trend Micro a call and see what they can suggest for
deployment

thanks again

Mikal

"Cary Shultz [A.D. MVP]" wrote:

> No problem!
>
> Have you tried running it as a start up script instead of a logon script?
> That might make more sense, assuming that you are going to not use the
> built-in ability ( not sure why you would not do that, but this is your
> baby, not mine! ). I might strongly suggest that you get on the phone with
> the Support Team at Trend Micro and figure out how to use it 'the right
> way'. Sorry, that is a bit judgmental on my part. But, it will really help
> you out and reduce your 'Administrative Overhead'.
>
> --
> Cary W. Shultz
> Roanoke, VA 24012
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "Mikal" <Mikal@discussions.microsoft.com> wrote in message
> news:87734EA8-6775-44F0-A522-3F52DF3A9DBB@microsoft.com...
> > Thanks again cary
> >
> > when I assign the policy to computer accounts it doesnt work, when I check
> > event viewer it says that the netowrk path could not be found - I'm
> > assuming
> > this is becuase the network card hasnt kicked in yet while the computer
> > script is running?
> > is this normal?
> >
> > I am using trend 7.0 and yes you are righ it does have a deploy tool, but
> > im
> > required to login as an admin when I deploy it - however i do need to need
> > to
> > investigate this further?
> >
> > ta
> >
> > "Cary Shultz [A.D. MVP]" wrote:
> >
> >> Mikal,
> >>
> >> Does Trend Micro not have a built-in ability to push the client software
> >> down to the computers? Thus, there should be no need to use GPO at all,
> >> right?
> >>
> >> Now, assuming that you are using a version with which I am not familiar (
> >> more than probable ) I would suggest that this would be something that
> >> you
> >> would be deploying to the computer side of things! This would make the
> >> most
> >> sense to me. It really has nothing to do with the user side of things at
> >> all so I do not see the rationale for using the user side.
> >>
> >> Assuming that Trend Micro does not have the ability to push the client
> >> software down to the computers I would suggest linking this GPO to the OU
> >> that contains the computer account objects.
> >>
> >> What version of Trend Micro are you using? Have you contacted their
> >> support
> >> team for help deploying this. It is a really nice piece of software that
> >> does a lot of things well.....
> >>
> >> And you are most welcome for any help that I might be able to give you.
> >> Always glad to help!
> >>
> >> --
> >> Cary W. Shultz
> >> Roanoke, VA 24012
> >> Microsoft Active Directory MVP
> >>
> >> http://www.activedirectory-win2000.com
> >> http://www.grouppolicy-win2000.com
> >>
> >>
> >>
> >> "Mikal" <Mikal@discussions.microsoft.com> wrote in message
> >> news:FCB48EF3-4058-4B13-B566-0670F7C0708A@microsoft.com...
> >> > Hi Cary
> >> > thanks for your help on this
> >> > What I am trying to do is to deploy trend office scan to various PC's
> >> > on
> >> > an
> >> > Active Directory network. the PC's are running both windows XP and
> >> > windows
> >> > 2000. Trend office scan has a tool for creating a MSI - I have used
> >> > this
> >> > tool
> >> > and have run the MSI on a local PC logged in as administrator and it
> >> > works.
> >> > When I go to assign the MSI to a computer through group policy it
> >> > doesnt
> >> > work - I'm assiming its because the computer is unable to find the path
> >> > which
> >> > in my case is eg \\server\data\file.msi when i assign it to a user i
> >> > get a
> >> > message saying that the user doesnt have rights to install the
> >> > application
> >> > so
> >> > I'm assuming that the user needs to be an administrator
> >> > so i guess what I want to know is if u assign a policy to deploy a msi
> >> > to
> >> > a
> >> > user should it deploy regardless of user rights on the local machine?
> >> > (regardless of OS win2k or XP) cause at the moment it doesnt seem to be
> >> > working
> >> >
> >> > "Cary Shultz [A.D. MVP]" wrote:
> >> >
> >> >> Mikal,
> >> >>
> >> >> I am sorry but I am still confused with what it is exactly that you
> >> >> have
> >> >> tried.
> >> >>
> >> >> What is the application that you are trying to deploy via Group
> >> >> Policy?
> >> >> Does it come with a 'native' .msi file? or are you creating a .msi
> >> >> file
> >> >> (
> >> >> there are several ways )?
> >> >>
> >> >> Not sure that pushing it out via logon script is the correct way! But
> >> >> that
> >> >> all depends on what you are trying to install.
> >> >>
> >> >> --
> >> >> Cary W. Shultz
> >> >> Roanoke, VA 24012
> >> >> Microsoft Active Directory MVP
> >> >>
> >> >> http://www.activedirectory-win2000.com
> >> >> http://www.grouppolicy-win2000.com
> >> >>
> >> >>
> >> >>
> >> >> "Mikal" <Mikal@discussions.microsoft.com> wrote in message
> >> >> news:3CFF4953-FFAC-4349-8C5C-5A8E3322279A@microsoft.com...
> >> >> > Hi Cary thanks for your reply
> >> >> > I should have been a bit more clearer - i am appling the group
> >> >> > policy
> >> >> > to
> >> >> > OU
> >> >> > containers in Active Directory - im am pushing out a logon script to
> >> >> > users
> >> >> > to
> >> >> > install the msi, the OS is win2k - I am using a login script to push
> >> >> > the
> >> >> > msi
> >> >> > on win2k machines as if I use group policy it just sits in
> >> >> > add/remove
> >> >> > programs
> >> >> >
> >> >> > as trouble shooting I have made sure there anre any local policies
> >> >> > affecting
> >> >> > installation and have made sure that the msi works (which it does
> >> >> > under
> >> >> > admin
> >> >> > account) I have run the script (batch file) from the command prompt
> >> >> > and
> >> >> > that
> >> >> > works fine
> >> >> >
> >> >> > I also tried assigning the policy to a machine but this failed too,
> >> >> > i'm
> >> >> > assuming it failed as it was unable to get a network connection.
> >> >> > hence
> >> >> > find
> >> >> > the path of the msi
> >> >> >
> >> >> >
> >> >> >
> >> >> > "Cary Shultz [A.D. MVP]" wrote:
> >> >> >
> >> >> >> Mikal,
> >> >> >>
> >> >> >> You do not deploy applications via GPO to groups. This is your
> >> >> >> first
> >> >> >> problem! You deploy applications either to user account objects or
> >> >> >> to
> >> >> >> computer account objects which directly reside in the OU ( assuming
> >> >> >> that
> >> >> >> we
> >> >> >> are talking about this level; it is possible that we are talking
> >> >> >> about
> >> >> >> another level...possibly the Site level? ) to which the GPO has
> >> >> >> been
> >> >> >> linked.
> >> >> >>
> >> >> >> You have to make sure that the user account objects ( or computer
> >> >> >> account
> >> >> >> objects, but since you are trying to deploy this to user account
> >> >> >> objects.... ) have both the Share and NTFS permissions to the
> >> >> >> shared
> >> >> >> folder
> >> >> >> in which the .msi file is located.
> >> >> >>
> >> >> >> You have to make sure that you tell Active Directory where the .msi
> >> >> >> file
> >> >> >> is
> >> >> >> via the UNC method ( \\servername\sharename\file.msi ) and not via
> >> >> >> a
> >> >> >> mapped
> >> >> >> network drive ( n:\someserver\somefolder\file.msi ).
> >> >> >>
> >> >> >> Now, in reference to my first point: it is possible that you are
> >> >> >> using
> >> >> >> Security Group Filtering. This is - on the Security tab of the GPO
> >> >> >> itself -
> >> >> >> where you would remove the group 'Authenticated Users' from the
> >> >> >> security
> >> >> >> and
> >> >> >> add your own security group. If you have done this you need to
> >> >> >> make
> >> >> >> sure
> >> >> >> that this group has both the READ and APPLY GROUP POLICY rights.
> >> >> >>
> >> >> >> What troubleshooting have you done? What would the OS on the
> >> >> >> clients
> >> >> >> be?
> >> >> >>
> >> >> >> Also, you need to make sure that your clients are pointing O*N*L*Y
> >> >> >> to
> >> >> >> your
> >> >> >> internal DNS Servers ( and not to any external DNS Servers - such
> >> >> >> as
> >> >> >> your
> >> >> >> ISP's ) in their TCP/IP configuration settings.
> >> >> >>
> >> >> >> --
> >> >> >> Cary W. Shultz
> >> >> >> Roanoke, VA 24012
> >> >> >> Microsoft Active Directory MVP
> >> >> >>
> >> >> >> http://www.activedirectory-win2000.com
> >> >> >> http://www.grouppolicy-win2000.com
> >> >> >>
> >> >> >>
> >> >> >>
> >> >> >> "Mikal" <Mikal@discussions.microsoft.com> wrote in message
> >> >> >> news:3EB7FCEF-CC35-44E1-8C46-71B6FF9AF1E5@microsoft.com...
> >> >> >> > Hi
> >> >> >> > I am trying to deploy an msi application via group policy to a
> >> >> >> > user
> >> >> >> > group,
> >> >> >> > but it doesnt seem to be working. The users dont have any rights
> >> >> >> > to
> >> >> >> > the
> >> >> >> > local
> >> >> >> > machine, do they need to be administrators in order for the
> >> >> >> > application
> >> >> >> > to
> >> >> >> > install?
> >> >> >> > any help would be great.
> >> >> >> >
> >> >> >> > ta
> >> >> >>
> >> >> >>
> >> >> >>
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
Anonymous
June 22, 2005 5:14:30 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

No problem. I don't know how I got that backwards! Back to the books for
me it seems. Sorry bout that Mikal

--
Adam Drayer


"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:o 8Rv6ZrdFHA.220@TK2MSFTNGP12.phx.gbl...
> Adam,
>
> I would like to respectfully disagree with what you have written....well,
in
> part.
>
> You can indeed publish and assign GPOs to user account objects while you
can
> O*N*L*Y assign GPOs to computer account objects. When you assign the
> application via GPO to the user account side then it will be automagically
> installed ( assuming that everything is in place ) when the user logs on.
> When you assign the application via GPO to the computer account side then
it
> will be automagically installed when the computer reboots. However, when
> you publish the application via GPO to the user side ( NOTE: this is not
> available to the computer side ) then the application will appear in the
> Add/Remove Software and will only be installed once the user goes there
and
> selects it.
>
> So, the original poster can keep the software GPO on the user side and
> either assign it or publish it. Were the original poster to move it to
the
> computer side then he would have but one choice - to assign it.
>
> --
> Cary W. Shultz
> Roanoke, VA 24012
> Microsoft Active Directory MVP
>
> http://www.activedirectory-win2000.com
> http://www.grouppolicy-win2000.com
>
>
>
> "Adam Drayer" <spam@pragerNOSPAMfenton.com> wrote in message
> news:%23pKoWumdFHA.3040@TK2MSFTNGP14.phx.gbl...
> > If you publish the MSI, it will just sit in add/remove programs waiting
> > for
> > the user to install it. You need to assign it. You can, however, only
> > assign MSIs to computer accounts, not to user accounts. Therefore, if
you
> > wish for the program to install itself on startup, you'll need to move
the
> > GPO to an OU that contains the computer accounts, not the user accounts.
> >
> > --
> > Hope I've helped some!
> > Adam Drayer
> >
> > "Mikal" <Mikal@discussions.microsoft.com> wrote in message
> > news:3CFF4953-FFAC-4349-8C5C-5A8E3322279A@microsoft.com...
> >> Hi Cary thanks for your reply
> >> I should have been a bit more clearer - i am appling the group policy
to
> > OU
> >> containers in Active Directory - im am pushing out a logon script to
> >> users
> > to
> >> install the msi, the OS is win2k - I am using a login script to push
the
> > msi
> >> on win2k machines as if I use group policy it just sits in add/remove
> >> programs
> >>
> >> as trouble shooting I have made sure there anre any local policies
> > affecting
> >> installation and have made sure that the msi works (which it does under
> > admin
> >> account) I have run the script (batch file) from the command prompt and
> > that
> >> works fine
> >>
> >> I also tried assigning the policy to a machine but this failed too, i'm
> >> assuming it failed as it was unable to get a network connection. hence
> > find
> >> the path of the msi
> >>
> >>
> >>
> >> "Cary Shultz [A.D. MVP]" wrote:
> >>
> >> > Mikal,
> >> >
> >> > You do not deploy applications via GPO to groups. This is your first
> >> > problem! You deploy applications either to user account objects or
to
> >> > computer account objects which directly reside in the OU ( assuming
> >> > that
> > we
> >> > are talking about this level; it is possible that we are talking
about
> >> > another level...possibly the Site level? ) to which the GPO has been
> > linked.
> >> >
> >> > You have to make sure that the user account objects ( or computer
> > account
> >> > objects, but since you are trying to deploy this to user account
> >> > objects.... ) have both the Share and NTFS permissions to the shared
> > folder
> >> > in which the .msi file is located.
> >> >
> >> > You have to make sure that you tell Active Directory where the .msi
> >> > file
> > is
> >> > via the UNC method ( \\servername\sharename\file.msi ) and not via a
> > mapped
> >> > network drive ( n:\someserver\somefolder\file.msi ).
> >> >
> >> > Now, in reference to my first point: it is possible that you are
using
> >> > Security Group Filtering. This is - on the Security tab of the GPO
> > itself -
> >> > where you would remove the group 'Authenticated Users' from the
> >> > security
> > and
> >> > add your own security group. If you have done this you need to make
> > sure
> >> > that this group has both the READ and APPLY GROUP POLICY rights.
> >> >
> >> > What troubleshooting have you done? What would the OS on the clients
> > be?
> >> >
> >> > Also, you need to make sure that your clients are pointing O*N*L*Y to
> > your
> >> > internal DNS Servers ( and not to any external DNS Servers - such as
> > your
> >> > ISP's ) in their TCP/IP configuration settings.
> >> >
> >> > --
> >> > Cary W. Shultz
> >> > Roanoke, VA 24012
> >> > Microsoft Active Directory MVP
> >> >
> >> > http://www.activedirectory-win2000.com
> >> > http://www.grouppolicy-win2000.com
> >> >
> >> >
> >> >
> >> > "Mikal" <Mikal@discussions.microsoft.com> wrote in message
> >> > news:3EB7FCEF-CC35-44E1-8C46-71B6FF9AF1E5@microsoft.com...
> >> > > Hi
> >> > > I am trying to deploy an msi application via group policy to a user
> > group,
> >> > > but it doesnt seem to be working. The users dont have any rights to
> > the
> >> > > local
> >> > > machine, do they need to be administrators in order for the
> > application to
> >> > > install?
> >> > > any help would be great.
> >> > >
> >> > > ta
> >> >
> >> >
> >> >
> >
> >
>
>
!